Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shanebp BP Email Assign Templates bp-email-assign-templates allows Reflected XSS.This issue affects BP Email Assign Templates: from n/a through <= 1.5.
Published: 2025-02-03
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability originates from the BP Email Assign Templates plugin, which does not properly neutralize user input when rendering web pages, allowing attackers to inject malicious scripts into reflected responses. The flaw permits the execution of arbitrary client‑side code with the privileges of the victim browser. The weakness is classified as a Reflected Cross‑Site Scripting (CWE‑79).

Affected Systems

WordPress sites running shanebp’s BP Email Assign Templates plugin, versions up to and including 1.5, are impacted.

Risk and Exploitability

The CVSS base score of 7.1 indicates a high risk, with the potential for attackers to exploit this flaw via a crafted URL or form submission that is reflected back to the victim's browser. Because the EPSS score is below 1 %, the probability of observed exploitation is currently low, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the attack surface remains significant for sites that expose the affected plugin, and the vulnerability can be leveraged remotely by any user who can trigger the templating functionality.

Generated by OpenCVE AI on May 2, 2026 at 09:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the BP Email Assign Templates plugin to the latest available release (greater than 1.5).
  • Ensure that all user‑supplied data incorporated into email templates is properly escaped or sanitized to prevent script injection.
  • Deploy a web application firewall or similar filtering mechanism to detect and block potential XSS payloads that reach the template rendering endpoint.

Generated by OpenCVE AI on May 2, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-3832 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PhiloPress BP Email Assign Templates allows Reflected XSS. This issue affects BP Email Assign Templates: from n/a through 1.5.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PhiloPress BP Email Assign Templates allows Reflected XSS. This issue affects BP Email Assign Templates: from n/a through 1.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shanebp BP Email Assign Templates bp-email-assign-templates allows Reflected XSS.This issue affects BP Email Assign Templates: from n/a through <= 1.5.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00035}

 epss

{'score': 0.00045}

Mon, 03 Feb 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 03 Feb 2025 14:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PhiloPress BP Email Assign Templates allows Reflected XSS. This issue affects BP Email Assign Templates: from n/a through 1.5.
Title WordPress BP Email Assign Templates Plugin <= 1.5 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:30.851Z

Reserved: 2025-01-23T14:51:25.978Z

Link: CVE-2025-24631

cve-icon Vulnrichment

Updated: 2025-02-03T16:35:02.751Z

cve-icon NVD

Status : Deferred

Published: 2025-02-03T15:15:28.023

Modified: 2026-04-23T15:25:10.860

Link: CVE-2025-24631

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T09:30:20Z

Weaknesses