A critical vulnerability has been identified in the "Post By Email" plugin for WordPress, rated 9.8 out of 10. This flaw allows an unauthenticated attacker to upload malicious files to the web server, which can lead to a complete compromise of the website. Successful exploitation could result in data theft, website defacement, and further attacks originating from the compromised server.

The vulnerability exists within the save_attachments function of the plugin, which is responsible for processing email attachments. The function fails to properly validate the file types of attachments before saving them to the server. An attacker can exploit this by sending a specially crafted email with a malicious executable file (e.g., a PHP web shell) as an attachment, potentially disguised as a common file type. The plugin will process the email and save the malicious file to a web-accessible directory, allowing the attacker to execute the code and gain full control over the web server.

This vulnerability is of critical severity with a CVSS score of 9.8. Exploitation could lead to a complete system compromise, posing a significant risk to the organization. Potential consequences include theft of sensitive data such as customer information or intellectual property, disruption of business operations through website defacement or downtime, and reputational damage. The compromised server could also be used as a platform to launch further attacks against other systems, creating additional legal and financial liabilities.

Immediate Action: Immediately update the "Post By Email" plugin for WordPress to the latest version available from the vendor, which addresses this vulnerability. After patching, verify that the update was successful and the site is functioning correctly.

Proactive Monitoring: Review web server access logs for suspicious POST requests or direct access attempts to unexpected files in WordPress upload directories (e.g., .php, .phtml files). Monitor for any unexpected files appearing in the /wp-content/uploads/ directory. Implement file integrity monitoring to detect unauthorized changes to the website's file system.

Compensating Controls: If immediate patching is not feasible, consider the following controls:

• Disable and remove the "Post By Email" plugin until it can be safely updated.
• Deploy a Web Application Firewall (WAF) with rules designed to inspect and block malicious file uploads.
• Harden web server permissions to prevent script execution in directories where file uploads are stored.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the high potential for remote code execution, immediate remediation is strongly recommended. Organizations must prioritize updating the affected "Post By Email" plugin to the latest patched version without delay. Although this vulnerability is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its severity makes it a highly attractive target for threat actors, and organizations should treat it as an imminent threat.