CVE-2025-24631 identifies a reflected Cross-site Scripting (XSS) vulnerability in the BP Email Assign Templates plugin by shanebp, a WordPress plugin used to customize email assignment templates. The vulnerability stems from improper input sanitization during the generation of web pages, allowing untrusted input to be reflected back in the HTTP response without adequate neutralization. This flaw enables attackers to craft malicious URLs that, when visited by an authenticated or unauthenticated user, execute arbitrary JavaScript code in the victim's browser context. Such code execution can lead to theft of session cookies, redirection to malicious sites, or execution of unauthorized actions within the application. The vulnerability affects all versions up to 1.5, with no patches currently available. Exploitation does not require prior authentication but does require user interaction, such as clicking a malicious link. While no active exploits have been reported, the widespread use of WordPress and its plugins makes this a significant risk. The lack of a CVSS score necessitates an independent severity assessment based on impact and exploitability factors.

The impact of CVE-2025-24631 is primarily on the confidentiality and integrity of user data within affected WordPress sites. Successful exploitation can lead to session hijacking, enabling attackers to impersonate legitimate users, including administrators, potentially resulting in unauthorized access and control over the site. Attackers may also steal sensitive information, inject malicious content, or perform actions on behalf of users without their consent. This can degrade trust in the affected websites and lead to reputational damage, data breaches, and compliance violations. Since the vulnerability is reflected XSS, it requires user interaction, which may limit large-scale automated exploitation but still poses a significant threat through phishing or social engineering campaigns. The availability impact is generally low but could be indirectly affected if attackers deface sites or disrupt normal operations.

To mitigate CVE-2025-24631, organizations should immediately audit their WordPress installations for the presence of the BP Email Assign Templates plugin and verify the version in use. Until an official patch is released, consider disabling or uninstalling the plugin to eliminate exposure. Implement Web Application Firewall (WAF) rules to detect and block reflected XSS attack patterns targeting the plugin's endpoints. Educate users and administrators about the risks of clicking untrusted links, especially those purporting to be related to email template management. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Monitor web server logs for suspicious requests that may indicate attempted exploitation. Once a patch becomes available, apply it promptly and test the environment to confirm remediation. Additionally, review and harden input validation and output encoding practices in custom plugins or themes to prevent similar vulnerabilities.