CVE-2025-28875 – This stored cross-site scripting (XSS) vulnerab... (How to Fix)

Q: What is the severity of CVE-2025-28875?

CVE-2025-28875 has a CVSS score of 5.9 (MEDIUM). This stored cross-site scripting (XSS) vulnerability in the BP Email Assign Templates WordPress plugin allows attackers to inject malicious scripts that execute when other users view affected pages. The vulnerability affects all WordPress sites using this plugin from any version up to 1.6. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

📋 TL;DR

This stored cross-site scripting (XSS) vulnerability in the BP Email Assign Templates WordPress plugin allows attackers to inject malicious scripts that execute when other users view affected pages. The vulnerability affects all WordPress sites using this plugin from any version up to 1.6. Attackers could steal session cookies, redirect users, or perform actions on their behalf.

💻 Affected Systems

Products:

BP Email Assign Templates WordPress Plugin

Versions: n/a through 1.6

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations using vulnerable versions of this plugin are affected regardless of configuration.

📦 What is this software?

Bp Email Assign Templates by Shanebp

View all CVEs affecting Bp Email Assign Templates →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, take over WordPress sites, install backdoors, deface websites, or redirect users to malicious sites.

🟠

Likely Case

Attackers inject malicious JavaScript to steal user session cookies or credentials, potentially compromising user accounts and performing unauthorized actions.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be neutralized before execution, preventing any impact.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity, but this requires some level of access to inject payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.7 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/bp-email-assign-templates/vulnerability/wordpress-bp-email-assign-templates-by-shanebp-plugin-1-6-cross-site-scripting-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'BP Email Assign Templates'. 4. Click 'Update Now' if available. 5. If no update appears, download version 1.7+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate bp-email-assign-templates

Web Application Firewall (WAF)

all

Configure WAF to block XSS payload patterns

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Enable WordPress security plugins with XSS protection features

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for BP Email Assign Templates version

Check Version:

wp plugin get bp-email-assign-templates --field=version

Verify Fix Applied:

Verify plugin version is 1.7 or higher in WordPress admin panel

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to plugin endpoints
JavaScript payloads in form submissions
Multiple failed XSS attempts

Network Indicators:

HTTP requests containing script tags or JavaScript payloads to plugin URLs

SIEM Query:

source="wordpress.log" AND ("bp-email-assign" OR "shanebp") AND ("script" OR "javascript" OR "onload" OR "onerror")

📊 Metadata

CVE ID: CVE-2025-28875

CVSS v3 Score: 5.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L

CWE: CWE-79

EPSS Score: 0.08% exploit probability (23th percentile)

Published: March 11, 2025

Last Updated: April 9, 2025

🔗 References

https://patchstack.com/database/wordpress/plugin/bp-email-assign-templates/vulnerability/wordpress-bp-email-assign-templates-by-shanebp-plugin-1-6-cross-site-scripting-vulnerability?_s_id=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-28875, you might also want to check these: