{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-9762", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-31T15:08:49.005Z", "datePublished": "2025-09-30T03:35:28.206Z", "dateUpdated": "2026-04-08T17:05:16.411Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:16.411Z"}, "affected": [{"vendor": "westi", "product": "Post By Email", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.4b", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_attachments function in all versions up to, and including, 1.0.4b. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "title": "Post By Email <= 1.0.4b - Unauthenticated Arbitrary File Upload via Email Attachments", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/885eb923-8e69-416b-8494-a42a9465cfe0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-by-email/tags/1.0.4b/class-post-by-email.php#L702"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "cweId": "CWE-78", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-08-16T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-09-29T15:30:11.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-30T15:27:03.191300Z", "id": "CVE-2025-9762", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T15:27:13.460Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-9762", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-09-30T15:27:03.191300Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T15:27:07.579Z"}}], "cna": {"title": "Post By Email <= 1.0.4b - Unauthenticated Arbitrary File Upload via Email Attachments", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "westi", "product": "Post By Email", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.4b"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-08-16T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-09-29T15:30:11.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/885eb923-8e69-416b-8494-a42a9465cfe0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/post-by-email/tags/1.0.4b/class-post-by-email.php#L702"}], "descriptions": [{"lang": "en", "value": "The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_attachments function in all versions up to, and including, 1.0.4b. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:05:16.411Z"}}}, "cveMetadata": {"cveId": "CVE-2025-9762", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:05:16.411Z", "dateReserved": "2025-08-31T15:08:49.005Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-30T03:35:28.206Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_attachments function in all versions up to, and including, 1.0.4b. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible."}, {"lang": "es", "value": "El plugin Post By Email para WordPress es vulnerable a la carga arbitraria de archivos debido a la falta de validaci\u00f3n del tipo de archivo en la funci\u00f3n save_attachments en todas las versiones hasta la 1.0.4b, inclusive. Esto hace posible que atacantes no autenticados carguen archivos arbitrarios en el servidor del sitio afectado, lo que puede posibilitar la ejecuci\u00f3n remota de c\u00f3digo."}], "id": "CVE-2025-9762", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-30T11:37:47.033", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/post-by-email/tags/1.0.4b/class-post-by-email.php#L702"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/885eb923-8e69-416b-8494-a42a9465cfe0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:43:32.014780+00:00", "value": {"mitigation_remediation": ["Update the Post By Email plugin to a version newer than 1.0.4b or the vendor\u2019s latest release that includes file\u2011type validation.", "If the plugin is not required, permanently disable or delete it from the WordPress installation.", "Configure WordPress or the web server to restrict uploaded file types and enforce strict MIME\u2011type checking, ensuring only safe file formats are accepted."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution (potential)"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the Post By Email plugin version 1.0.4b or earlier are affected. The plugin is available as a WordPress Core plugin and is listed under the vendor \"westi\".", "description_and_impact": "The Post By Email WordPress plugin allows any unauthenticated user to upload files because the save_attachments function does not validate the file type. This flaw, classified as CWE-78, lets an attacker place arbitrary files\u2014including executable scripts\u2014onto the web server. Once on the server, those files can be accessed via a browser, enabling remote code execution or other malicious actions.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 9.8, indicating critical severity, while the EPSS score is below 1% but not zero, suggesting that exploitation is low probability but still possible. The vulnerability is not listed in CISA KEV. The attack vector is remote and unauthenticated: an attacker sends an email with a malicious attachment to the site\u2019s configured email address, the plugin stores the attachment without checks, and the attacker later accesses it through a browser to execute code."}}}}, "created": "2025-09-30T08:47:27.531791+00:00", "updated": "2026-04-21T02:45:25.957118+00:00", "vendors": ["westi", "westi$PRODUCT$post_by_email", "wordpress", "wordpress$PRODUCT$wordpress"]}