Description
Authorization Bypass Through User-Controlled Key vulnerability in shanebp BP Email Assign Templates bp-email-assign-templates allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Email Assign Templates: from n/a through <= 1.7.
Published: 2025-03-11
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an authorization bypass denoted by CWE-639 that allows an attacker to delete arbitrary content from the WordPress site. By supplying a crafted key through the BP Email Assign Templates plugin, the attacker can trigger the plugin’s deletion functionality without proper access checks, causing data loss. The flaw arises from incorrect configuration of access control security levels in the plugin’s code base.

Affected Systems

This issue affects the WordPress plugin BP Email Assign Templates developed by shanebp. Versions up through 1.7 are impacted. The plugin is typically installed on WordPress sites that use the BP Email Assign Templates by shanebp plugin, and only versions 1.7 and earlier are vulnerable.

Risk and Exploitability

The CVSS score of 6.5 places this bug in the moderate severity range, while the EPSS indicates a very low but nonzero exploitation probability (<1%). It is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker who can interact with the plugin’s interface and supply a specific user-controlled key may bypass authorization checks and delete content, though no public exploitation is documented at this time.

Generated by OpenCVE AI on May 1, 2026 at 14:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade BP Email Assign Templates plugin to a version newer than 1.7.
  • Restrict the plugin’s deletion feature to users with administrative privileges only.
  • If an update cannot be applied immediately, consider disabling the plugin until a patched version is available.

Generated by OpenCVE AI on May 1, 2026 at 14:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7841 Authorization Bypass Through User-Controlled Key vulnerability in shanebp BP Email Assign Templates allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BP Email Assign Templates: from n/a through 1.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in shanebp BP Email Assign Templates allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BP Email Assign Templates: from n/a through 1.6. Authorization Bypass Through User-Controlled Key vulnerability in shanebp BP Email Assign Templates bp-email-assign-templates allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects BP Email Assign Templates: from n/a through <= 1.7.
Title WordPress BP Email Assign Templates By shanebp plugin <= 1.6 - Arbitrary Content Deletion vulnerability WordPress BP Email Assign Templates By shanebp plugin <= 1.7 - Arbitrary Content Deletion vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H'}

 cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.0004}

 epss

{'score': 0.00052}

Wed, 09 Apr 2025 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Shanebp
Shanebp bp Email Assign Templates
CPEs cpe:2.3:a:shanebp:bp_email_assign_templates:*:*:*:*:*:wordpress:*:*
Vendors & Products Shanebp
Shanebp bp Email Assign Templates

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in shanebp BP Email Assign Templates allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects BP Email Assign Templates: from n/a through 1.6.
Title WordPress BP Email Assign Templates By shanebp plugin <= 1.6 - Arbitrary Content Deletion vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Shanebp Bp Email Assign Templates
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:49.689Z

Reserved: 2025-03-11T08:08:49.775Z

Link: CVE-2025-28874

cve-icon Vulnrichment

Updated: 2025-03-12T13:45:33.151Z

cve-icon NVD

Status : Modified

Published: 2025-03-11T21:15:44.907

Modified: 2026-04-23T15:26:29.050

Link: CVE-2025-28874

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:15:20Z

Weaknesses