CVE-2024-5200: 
WordPress vulnerability analysis and mitigation

The Postie WordPress plugin versions prior to 1.9.71 contain a Stored Cross-Site Scripting (XSS) vulnerability. The vulnerability exists due to insufficient sanitization and escaping of plugin settings, which affects high-privilege users such as administrators, even when the unfiltered_html capability is disallowed in multisite setups (WPScan).

The vulnerability is present in the Image settings section of the Postie plugin. The plugin fails to properly sanitize and escape custom image template settings, allowing for the injection of malicious scripts. The XSS payload can be triggered whenever someone accesses the affected settings page. This vulnerability has been assigned a CVSS score of 3.5 (Low) and is classified under CWE-79 (Cross-Site Scripting) (WPScan).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. When exploited, the XSS payload will be executed whenever any user accesses the plugin settings page, potentially leading to client-side code execution in the context of the victim's browser (WPScan).

Users are advised to upgrade to Postie version 1.9.71 or later, which contains the fix for this vulnerability. There are no known workarounds for this vulnerability other than updating to the patched version (WPScan).