Postie Suspended from the WordPress repository

UPDATE Jan 18, 2020 Postie has been reinstated!

I was notified today that Postie has been suspended from the WordPress plugin repository

Your plugin has had to be temporarily withdrawn from the Plugin Directory due to an exploit.

The exploit is that if someone knows your secret Postie email address and knows the email address of an authorized poster and they forge the email headers and your email server lets the forged headers through then they could post something.

There is also an example exploit documented to inject some javascript if the attacker knows all of the above.

You can read the gory details at


There is little impact if you don’t publicize your secret Postie email address and the email addresses of those users allowed to post.


I am actively looking into validating received emails via SPF and DKIM which are the same mechanisms email hosts use for verifying emails. This validation will likely affect some users so I will include an option for turning it off.

I do not know the exact timing yet, but I expect this will get resolved in the next couple of weeks and Postie will be restored to the WordPress plugin repository.