Action: postie_register_shortcode_pre

This action is called just before postie_post_before.

You use this action to register any Postie specific shortcodes.

<?php 
function my_postie_register_shortcode_pre() {
    //register any Postie shortcodes
    add_shortcode('myshortcode', 'my_shortcode');
}

add_action('postie_register_shortcode_pre', 'my_postie_register_shortcode_pre');

// works like a standard shortcode
function my_shortcode($att, $content = null) {
    global $postie_post; // the current post
    return '<p>My shortcode</p>';
}
?>

Postie Suspended from the WordPress repository

UPDATE Jan 18, 2020 Postie has been reinstated!


I was notified today that Postie has been suspended from the WordPress plugin repository

Your plugin has had to be temporarily withdrawn from the WordPress.org Plugin Directory due to an exploit.

The exploit is that if someone knows your secret Postie email address and knows the email address of an authorized poster and they forge the email headers and your email server lets the forged headers through then they could post something.

There is also an example exploit documented to inject some javascript if the attacker knows all of the above.

You can read the gory details at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20203

Impact

There is little impact if you don’t publicize your secret Postie email address and the email addresses of those users allowed to post.

Resolution

I am actively looking into validating received emails via SPF and DKIM which are the same mechanisms email hosts use for verifying emails. This validation will likely affect some users so I will include an option for turning it off.

I do not know the exact timing yet, but I expect this will get resolved in the next couple of weeks and Postie will be restored to the WordPress plugin repository.