CVE-2025-22802 is a stored cross-site scripting vulnerability found in the Email Templates Customizer for WordPress – Drag And Drop Email Templates Builder – YeeMail plugin, versions up to 2.1.4. The vulnerability stems from improper neutralization of input during the generation of web pages, specifically within the email template customization functionality. An attacker can inject malicious JavaScript code into email templates that are stored persistently. When legitimate users or administrators view these crafted email templates, the malicious script executes in their browser context. This can lead to session hijacking, credential theft, unauthorized actions performed with the victim's privileges, or further malware delivery. The plugin is designed to allow drag-and-drop customization of email templates in WordPress, a widely used content management system. Although no known exploits are currently in the wild, the vulnerability poses a significant risk due to the stored nature of the XSS, which does not require repeated injection and can affect multiple users. No CVSS score has been assigned yet, and no official patches have been linked, indicating that remediation may still be pending. The vulnerability is cataloged by Patchstack and publicly disclosed as of January 2025.

The impact of CVE-2025-22802 is primarily on the confidentiality and integrity of affected WordPress sites using the YeeMail plugin. Successful exploitation allows attackers to execute arbitrary JavaScript in the browsers of users who view the compromised email templates. This can lead to theft of authentication cookies, enabling session hijacking and unauthorized access to user accounts, including administrative accounts. Attackers could also manipulate the content displayed to users or perform actions on their behalf, potentially leading to further compromise of the WordPress site or connected systems. Since email templates are often viewed by multiple users, the scope of impact can be broad within an organization. Additionally, attackers might use the vulnerability as a pivot point to deliver malware or conduct phishing attacks. Although no exploits are currently known in the wild, the vulnerability’s presence in a popular CMS plugin means that many organizations worldwide could be at risk, especially those relying on customized email communications for business operations.

1. Monitor the plugin vendor’s official channels and WordPress plugin repository for security updates or patches addressing CVE-2025-22802 and apply them immediately upon release. 2. Until an official patch is available, disable or uninstall the Email Templates Customizer for WordPress – YeeMail plugin to eliminate exposure. 3. Implement strict input validation and output encoding within the plugin’s code if custom modifications are possible, ensuring all user-supplied input is sanitized before storage and rendering. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the WordPress site. 5. Conduct regular security audits and penetration testing focusing on plugin vulnerabilities and stored XSS risks. 6. Educate administrators and users about the risks of interacting with untrusted email templates and encourage cautious behavior. 7. Use web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting WordPress plugins. 8. Maintain regular backups of WordPress sites to enable recovery in case of compromise.