CVE-2025-28875 identifies a stored Cross-site Scripting (XSS) vulnerability in the BP Email Assign Templates plugin by shanebp, affecting versions up to 1.6. Stored XSS occurs when malicious input is improperly sanitized and then stored by the application, later rendered in web pages without proper encoding, allowing attackers to execute arbitrary JavaScript in the context of the victim's browser. In this case, the vulnerability stems from improper neutralization of input during web page generation within the plugin, which is used to manage email assignment templates in WordPress environments. An attacker can exploit this by injecting malicious scripts into input fields or template content that are saved and later displayed to users or administrators. When these pages are viewed, the malicious code executes, potentially stealing session cookies, performing actions on behalf of users, or redirecting users to malicious websites. The vulnerability does not require authentication or user interaction beyond viewing the affected page, increasing its risk profile. No official patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The plugin’s usage in WordPress sites makes this a relevant threat vector, especially for organizations relying on this plugin for email template management. The absence of a CVSS score necessitates an expert severity assessment based on the vulnerability’s characteristics.

The impact of this stored XSS vulnerability can be significant for organizations using the BP Email Assign Templates plugin. Attackers can execute arbitrary JavaScript in the context of users’ browsers, leading to session hijacking, credential theft, unauthorized actions within the application, and potential spread of malware or phishing attacks. This can compromise user accounts, including administrative accounts, leading to further system compromise or data breaches. The vulnerability could also damage organizational reputation if exploited to deface websites or deliver malicious content to users. Since the plugin is used within WordPress, a widely deployed content management system, the scope of affected systems is broad. The ease of exploitation without authentication or complex prerequisites increases the likelihood of attacks once the vulnerability is publicly known. Organizations with sensitive data or high-value targets are at greater risk of targeted exploitation. Additionally, the lack of current patches means the window of exposure remains open, increasing the urgency for mitigation.

To mitigate CVE-2025-28875, organizations should first verify if they use the BP Email Assign Templates plugin and identify the version in use. Immediate steps include: 1) Temporarily disabling or uninstalling the plugin if it is not critical to operations. 2) Monitoring official vendor channels and security advisories for patches or updates addressing this vulnerability and applying them promptly once available. 3) Implementing Web Application Firewall (WAF) rules to detect and block typical XSS payloads targeting the plugin’s input fields or template content. 4) Conducting input validation and output encoding on all user-supplied data within the plugin’s scope, if custom development or overrides are possible. 5) Educating administrators and users to be cautious of unexpected or suspicious content in email templates or plugin interfaces. 6) Reviewing and restricting user permissions to limit who can modify email templates, reducing the risk of malicious input injection. 7) Regularly scanning web applications with security tools to detect XSS vulnerabilities and signs of exploitation. These measures, combined with timely patching, will reduce the risk of exploitation and limit potential damage.