CVE-2025-28874 identifies an authorization bypass vulnerability in the shanebp BP Email Assign Templates plugin, which is used in WordPress environments to manage email assignment templates. The vulnerability stems from incorrectly configured access control security levels that rely on a user-controlled key, allowing attackers to circumvent authorization checks. This means that an attacker can manipulate input parameters or keys that the system trusts to grant permissions, thereby gaining unauthorized access to restricted functions or data. The affected versions include all releases up to and including version 1.7. Since the vulnerability is related to access control, it primarily impacts the integrity and confidentiality of the system by enabling privilege escalation or unauthorized actions. No public exploits have been reported yet, and no official patches are currently linked, indicating that mitigation relies on vendor updates or manual access control reviews. The lack of a CVSS score suggests this is a newly published vulnerability, with severity assessed based on technical characteristics. The vulnerability is particularly relevant for organizations using this plugin in WordPress environments, which are common in content management and digital communication platforms.

The potential impact of CVE-2025-28874 is significant for organizations using the BP Email Assign Templates plugin, as it allows attackers to bypass authorization controls and perform unauthorized actions. This could lead to unauthorized access to sensitive email templates or assignment configurations, potentially exposing confidential communication or enabling further attacks such as phishing or privilege escalation. The integrity of email assignment workflows could be compromised, disrupting business processes. Since the vulnerability does not require authentication barriers to be bypassed, it increases the attack surface, especially for publicly accessible WordPress sites. Organizations relying on this plugin for critical communication or workflow automation could face data breaches, operational disruptions, and reputational damage. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability’s nature makes it a high-risk target once exploit code becomes available.

To mitigate CVE-2025-28874, organizations should immediately audit the access control configurations within the BP Email Assign Templates plugin, focusing on how user-controlled keys are validated and authorized. Restrict or sanitize all user inputs that influence authorization decisions to prevent manipulation. Monitor logs for unusual access patterns or unauthorized attempts to access email assignment features. Disable or remove the plugin if it is not essential to reduce the attack surface. Stay alert for official patches or updates from the vendor and apply them promptly once released. Employ web application firewalls (WAFs) to detect and block suspicious requests targeting the plugin’s endpoints. Additionally, implement the principle of least privilege for users interacting with the plugin and conduct regular security reviews of all third-party plugins in use. Consider isolating critical communication systems from public access where feasible.