- escape IMAP password
- fix logging in get_parent_postid
- ensure any modification by shortcode are retained
1.9.45 Released
- Fix email notification bug
Action: postie_register_shortcode_pre
This action is called just before postie_post_before.
You use this action to register any Postie specific shortcodes.
<?php function my_postie_register_shortcode_pre() { //register any Postie shortcodes add_shortcode('myshortcode', 'my_shortcode'); } add_action('postie_register_shortcode_pre', 'my_postie_register_shortcode_pre'); // works like a standard shortcode function my_shortcode($att, $content = null) { global $postie_post; // the current post return '<p>My shortcode</p>'; } ?>
1.9.44 Released
- refactoring to separate email fetch from email processing
- add postie_register_shortcode_pre action for registering Postie shortcodes
1.9.43 Released
- Begin migration of shortcode support into Postie main
1.9.42 Released
- Fix: signature stripping in html emails was failing sometimes
New AddOn: Category for Media
Assigns categories to email attachments when uploaded to the media library.
1.9.41 Released
- Fix: different regex approach for html vs plain
- Only process 1 email at a time
Postie Reinstated to the WordPress repository
After discussions with the WordPress security team the published exploit was not deemed significant enough to warrant Postie being suspended and was reinstated without any code changes required.
Postie Suspended from the WordPress repository
UPDATE Jan 18, 2020 Postie has been reinstated!
I was notified today that Postie has been suspended from the WordPress plugin repository
Your plugin has had to be temporarily withdrawn from the WordPress.org Plugin Directory due to an exploit.
The exploit is that if someone knows your secret Postie email address and knows the email address of an authorized poster and they forge the email headers and your email server lets the forged headers through then they could post something.
There is also an example exploit documented to inject some javascript if the attacker knows all of the above.
You can read the gory details at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20203
Impact
There is little impact if you don’t publicize your secret Postie email address and the email addresses of those users allowed to post.
Resolution
I am actively looking into validating received emails via SPF and DKIM which are the same mechanisms email hosts use for verifying emails. This validation will likely affect some users so I will include an option for turning it off.
I do not know the exact timing yet, but I expect this will get resolved in the next couple of weeks and Postie will be restored to the WordPress plugin repository.