CVE-2025-2165
📋 TL;DR
The SH Email Alert WordPress plugin has a reflected cross-site scripting vulnerability in all versions up to 1.0. Unauthenticated attackers can inject malicious scripts via the 'mid' parameter, potentially stealing user credentials or session cookies when victims click specially crafted links. All WordPress sites using this plugin are affected.
💻 Affected Systems
- SH Email Alert WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator credentials, gain full control of WordPress site, install backdoors, or redirect visitors to malicious sites.
Likely Case
Attackers steal user session cookies or credentials through phishing links, potentially compromising individual accounts.
If Mitigated
With proper web application firewalls and user awareness, impact limited to unsuccessful phishing attempts.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but is technically simple with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.1 or later
Vendor Advisory: https://wordpress.org/plugins/sh-email-alert/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'SH Email Alert' and check if update is available. 4. Click 'Update Now' or manually update to version 1.1+. 5. Verify plugin is active and functioning.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched
wp plugin deactivate sh-email-alert
Web Application Firewall Rule
linuxBlock requests containing XSS payloads in 'mid' parameter
ModSecurity rule: SecRule ARGS:mid "@rx <script" "id:1001,phase:2,deny,status:403,msg:'XSS attempt in SH Email Alert plugin'"
🧯 If You Can't Patch
- Implement Content Security Policy headers to restrict script execution
- Use WordPress security plugins with XSS protection features
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for SH Email Alert version 1.0 or earlierCheck Version:
wp plugin get sh-email-alert --field=versionVerify Fix Applied:
Confirm plugin version is 1.1 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- HTTP requests with 'mid' parameter containing script tags or JavaScript code
- 403 errors from WAF blocking XSS attempts
Network Indicators:
- Unusual referrer headers containing XSS payloads
- Multiple failed requests to manage.php with suspicious parameters
SIEM Query:
source="web_logs" AND uri="*manage.php*" AND (param="*mid=*<script*" OR param="*mid=*javascript:*")