Does Postie have any unpatched vulnerabilities?

No. All known vulnerabilities in Postie have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Postie compatible with WordPress 6.9.4?

According to WordPress.org data, Postie 1.9.75 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Postie compatible with PHP 7.0+?

Postie requires PHP 7.0 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Postie updated?

Postie was last updated on Jan 29, 2026. Frequent updates are generally a positive security signal.

What is Postie's security score?

Postie has a WP-Safety security score of 92/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Postie Security & Risk Analysis

wordpress.org/plugins/postie

Postie allows you to create posts via email, including many advanced features not found in WordPress's default Post by Email feature.

10K active installs v1.9.75 PHP 7.0+ WP 5.6+ Updated Jan 29, 2026

e-mailemailpost-by-email

A · Safe

CVEs total5

Unpatched0

Last CVEDec 31, 2025

Plugin page Download

Safety Verdict

Is Postie Safe to Use in 2026?

Generally Safe

Score 92/100

Postie has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Dec 31, 2025Updated 2mo ago

Risk Assessment

The 'postie' plugin version 1.9.75 presents a mixed security posture. On the positive side, the static analysis reveals no critical vulnerabilities identified through taint analysis, and all SQL queries are properly prepared. The plugin also demonstrates some use of capability checks. However, there are significant concerns regarding output escaping, with only 56% of outputs being properly escaped, leaving a substantial portion potentially vulnerable to Cross-Site Scripting (XSS) attacks. The absence of any nonce checks on the available entry points, while the attack surface is currently minimal, is a weakness that could be exploited if the attack surface expands or if specific vulnerabilities are introduced.

The vulnerability history is a major red flag. With 5 known CVEs, including one high-severity vulnerability and four medium-severity ones, primarily related to Cross-Site Scripting, this plugin has a history of security flaws. Although there are no currently unpatched vulnerabilities, the frequency and nature of past issues suggest a recurring problem with input sanitization and output encoding within the plugin's development. The last reported vulnerability was dated in the future, which is an anomaly but does not negate the historical pattern.

In conclusion, while the absence of active critical vulnerabilities and the use of prepared statements are strengths, the high percentage of unescaped output and the plugin's history of XSS vulnerabilities are substantial risks. The lack of nonce checks on any entry points further exacerbates these concerns. Users should proceed with caution and ensure they are on the absolute latest patch for this plugin, as well as monitor for any new security advisories.

Key Concerns

High percentage of unescaped output
History of High severity vulnerabilities
History of Medium severity vulnerabilities
No nonce checks on entry points

Vulnerabilities

Postie Security Vulnerabilities

CVEs by Year

1 CVE in 2012

2012

2 CVEs in 2020

2020

2 CVEs in 2025

2025

Patched Has unpatched

Severity Breakdown

High

Medium

5 total CVEs

CVE-2025-63020medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Postie <= 1.9.73 - Authenticated (Contributor+) Stored Cross-Site Scripting

Dec 31, 2025 Patched in 1.9.74 (9d)

CVE-2024-5200medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Postie <= 1.9.70 - Authenticated (Admin+) Stored Cross-Site Scripting

Sep 8, 2025 Patched in 1.9.71 (39d)

CVE-2019-20203medium · 5.3Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Postie <= 1.9.40 - Post Submission Spoofing & Stored Cross-Site Scripting

Jan 2, 2020 Patched in 1.9.41 (1482d)

CVE-2019-20204medium · 5.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Postie <= 1.9.40 - Cross-Site Scripting

Jan 2, 2020 Patched in 1.9.41 (1482d)

CVE-2012-2580high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Postie < 1.4.10 - Cross-Site Scripting

Aug 8, 2012 Patched in 1.4.10 (4185d)

Code Analysis

Analyzed Mar 16, 2026

Postie Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

81 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared4 total queries

Output Escaping

56% escaped145 total outputs

Attack Surface

Postie Attack Surface

Entry Points0

Unprotected0

WordPress Hooks 28

actionpostie_log_errorpostie.class.php:47

actionpostie_log_debugpostie.class.php:53

filterduplicate_comment_idpostie.class.php:57

filterintermediate_image_sizes_advancedpostie.class.php:59

actionpostie_log_errorpostie.class.php:494

actionpostie_log_debugpostie.class.php:500

actioninitpostie.php:54

actionparse_requestpostie.php:55

actionadmin_initpostie.php:56

actionadmin_menupostie.php:57

actionadmin_headpostie.php:58

actionplugins_loadedpostie.php:59

actionpre_post_updatepostie.php:60

filterallowed_optionspostie.php:64

filterwhitelist_optionspostie.php:67

filtercron_schedulespostie.php:69

filterquery_varspostie.php:70

filterplugin_row_metapostie.php:72

filterenable_post_by_email_configurationpostie.php:73

filtersite_status_testspostie.php:74

filterquerypostie.php:75

actioncheck_postie_hookpostie.php:83

actionadmin_noticespostie.php:378

actionadmin_noticespostie.php:382

actionadmin_noticespostie.php:386

actionadmin_noticespostie.php:390

actionadmin_noticespostie.php:399

actionadmin_noticespostie.php:404

Scheduled Events 1

check_postie_hook

Maintenance & Trust

Postie Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedJan 29, 2026

PHP min version7.0

Downloads1.2M

Community Trust

Rating94/100

Number of ratings139

Active installs10K

Alternatives

Postie Alternatives

Change Mail Sender

cb-change-mail-sender

Easily change the default WordPress from email name and from email address.

20K No CVEs

ShopMagic – email automation

shopmagic-for-woocommerce

Flexible email automation and workflows triggered by customer and site events.

10K 2 CVEs

MailUp for WordPress – Email and Newsletter Subscription Form

mailup-email-and-newsletter-subscription-form

100

Il plugin permette di inserire sul proprio sito WordPress un form per l’iscrizione degli utenti a newsletter, campagne email e SMS.

2K No CVEs

WP-EMail

wp-email

Allows people to recommend/send your WordPress blog's post/page to a friend.

2K 5 CVEs

Cryptex | E-Mail Address Protection

cryptex

Cryptex transforms plain-text E-Mail-Addresses into Images - automatically - No scrapers. No harvesters. No spambots. That's our goal!

900 No CVEs

Developer Profile

Postie Developer Profile

Wayne Allen

1 plugin · 10K total installs

trust score

Avg Security Score

92/100

Avg Patch Time

1439 days

View full developer profile

Detection Fingerprints

How We Detect Postie

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/postie/postie.css/wp-content/plugins/postie/postie.js/wp-content/plugins/postie/postie-settings.js

Script Paths

/wp-content/plugins/postie/postie.js/wp-content/plugins/postie/postie-settings.js

Version Parameters

postie/postie.css?ver=postie/postie.js?ver=postie/postie-settings.js?ver=

HTML / DOM Fingerprints

CSS Classes

postie-settings

HTML Comments

JS Globals

postie_ajax_object

REST Endpoints

/wp-json/postie/v1

FAQ