Introduction
Attackers can gain remote code execution on WordPress sites simply by sending a crafted email with a malicious attachment. This is possible due to a critical flaw in the Post By Email plugin, which is used to automate post creation via email. The plugin is a third-party extension for WordPress, a content management system powering over 40 percent of the web. The Post By Email plugin is not maintained by the core WordPress team and is less widely used than major plugins, but its functionality is attractive for organizations automating content workflows.
Technical Information
CVE-2025-9762 is an arbitrary file upload vulnerability in the Post By Email plugin for WordPress. The vulnerability is present in all versions up to and including 1.0.4b. The root cause is the absence of file type validation in the save_attachments function, located in class-post-by-email.php at line 702 (reference).
When the plugin receives an email with attachments, it processes and saves those attachments to the server. Unlike WordPress's built-in media upload functionality, which checks file types and extensions, the plugin's custom logic does not validate the file type, extension, or content. This allows unauthenticated attackers to send emails with arbitrary files (such as PHP scripts) as attachments. The plugin saves these files to the server, often in web-accessible directories. If an attacker uploads a PHP file and accesses it via the web, they can achieve remote code execution.
The vulnerability is classified under CWE-78 (OS Command Injection) due to the potential for arbitrary command execution if a malicious script is uploaded and executed. The attack does not require authentication or prior access to the WordPress site. Exploitation is possible as long as the plugin is active and configured to process incoming emails.
No official patch or fixed version exists as of the publication date. The only effective mitigation is to remove or deactivate the plugin.
Affected Systems and Versions
- Product: Post By Email plugin for WordPress
- Affected versions: All versions up to and including 1.0.4b
- Vulnerable configurations: Any WordPress installation with the Post By Email plugin active and configured to process incoming emails
Vendor Security History
- The Post By Email plugin has had previous security issues, including a reflected XSS vulnerability (Patchstack advisory).
- The plugin is maintained by a small team and does not have a strong track record of rapid security response or regular updates.