Postie Suspended from the WordPress repository

UPDATE Jan 18, 2020 Postie has been reinstated!


I was notified today that Postie has been suspended from the WordPress plugin repository

Your plugin has had to be temporarily withdrawn from the WordPress.org Plugin Directory due to an exploit.

The exploit is that if someone knows your secret Postie email address and knows the email address of an authorized poster and they forge the email headers and your email server lets the forged headers through then they could post something.

There is also an example exploit documented to inject some javascript if the attacker knows all of the above.

You can read the gory details at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20203

Impact

There is little impact if you don’t publicize your secret Postie email address and the email addresses of those users allowed to post.

Resolution

I am actively looking into validating received emails via SPF and DKIM which are the same mechanisms email hosts use for verifying emails. This validation will likely affect some users so I will include an option for turning it off.

I do not know the exact timing yet, but I expect this will get resolved in the next couple of weeks and Postie will be restored to the WordPress plugin repository.

Replace/Update Post by Email

A frequently requested feature is to be able to update a post by email. I’m happy to announce that it is now possible to do this via the Postie Shortcodes Addon.

To update a post create your email as usual then add [preplace] at the end. In order for Postie to know which post to replace your email subject must match the post title exactly.

Let me know if this is useful.

1.9.38 Released

  • Fix bug where filtering out an attachment using postie_include_attachment prevented other attachments from being processed

1.9.36 Released

Fixed bug where image titles are blank. Bug was introduced in 1.9.34. No significant impact, image files just had a blank title and showed as “(no title)” in the Media Library.

1.9.35 Released

Allow for a single admin when sending post confirmation emails.

The Notify on Error setting now lists individual admins in addition to the Nobody and All Admins options.