CVE-2025-9762 CRITICAL

CVE-2025-9762: Post By Email <= 1.0.4b - Unauthenticated Arbitrary File Upload via Email Attachments

Vendor Westi

Product Post By Email

Weakness CWE-78

Published September 30, 2025

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

9.8/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Post By Email plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the save_attachments function in all versions up to, and including, 1.0.4b. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

Key dates

02Disclosure timeline

September 30, 2025 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-9762

Related vulnerabilities

04Related CVE

CVE-2025-6102 Wifi-soft UniBox Controller logout.php os command injection CVE-2026-0507 OS Command Injection vulnerability in SAP Application Server for ABAP and SAP NetWeaver RFCSDK CVE-2026-35521 Pi-hole FTL affected by Remote Code Execution (RCE) via dhcp.hosts Newline Injection CVE-2024-0294 Totolink LR1200GB cstecgi.cgi setUssd os command injection CVE-2021-33544 UDP Technology/Geutebrück camera devices: command injection leading to RCE