Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shanebp BP Email Assign Templates bp-email-assign-templates allows Stored XSS.This issue affects BP Email Assign Templates: from n/a through <= 1.6.
Published: 2025-03-11
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The BP Email Assign Templates plugin for WordPress, developed by shanebp, contains a stored cross‑site scripting flaw due to improper neutralization of user input during web page generation. An attacker can place malicious JavaScript code in an email template that is saved by the plugin and later rendered to users, enabling script execution in their browsers. The vulnerability is a classic XSS weakness (CWE‑79) and can compromise confidentiality, integrity, or availability of the affected site depending on the attacker’s intent.

Affected Systems

Any WordPress installation that uses the BP Email Assign Templates plugin from shanebp, version 1.6 or earlier, is vulnerable. The flaw exists in all releases up to and including 1.6; newer releases are not documented as affected.

Risk and Exploitability

The CVSS score of 5.9 reflects moderate severity, while the EPSS score of less than 1% indicates a very low but non‑zero probability of exploitation. This issue is not listed in the CISA KEV catalog. Attackers could exploit the flaw by creating or editing an email template that contains malicious JavaScript; when the template content is viewed by any site user, the payload runs in their browser, potentially enabling session hijacking, defacement, or cookie theft. The likely attack vector is through the plugin’s template creation interface, which fails to sanitize input before storing it.

Generated by OpenCVE AI on May 1, 2026 at 14:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the BP Email Assign Templates plugin to the latest version that addresses the XSS flaw.
  • If an update is unavailable or impractical, disable or uninstall the BP Email Assign Templates plugin to remove the vector.
  • Apply a web application firewall or input‑sanitization measures to detect and block XSS payloads in stored content.

Generated by OpenCVE AI on May 1, 2026 at 14:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7842 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shanebp BP Email Assign Templates allows Stored XSS. This issue affects BP Email Assign Templates: from n/a through 1.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shanebp BP Email Assign Templates allows Stored XSS. This issue affects BP Email Assign Templates: from n/a through 1.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shanebp BP Email Assign Templates bp-email-assign-templates allows Stored XSS.This issue affects BP Email Assign Templates: from n/a through <= 1.6.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00038}

 epss

{'score': 0.00054}

Wed, 09 Apr 2025 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Shanebp
Shanebp bp Email Assign Templates
CPEs cpe:2.3:a:shanebp:bp_email_assign_templates:*:*:*:*:*:wordpress:*:*
Vendors & Products Shanebp
Shanebp bp Email Assign Templates

Wed, 12 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 21:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in shanebp BP Email Assign Templates allows Stored XSS. This issue affects BP Email Assign Templates: from n/a through 1.6.
Title WordPress BP Email Assign Templates By shanebp plugin <= 1.6 - Cross-Site Scripting vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Shanebp Bp Email Assign Templates
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:49.765Z

Reserved: 2025-03-11T08:09:00.483Z

Link: CVE-2025-28875

cve-icon Vulnrichment

Updated: 2025-03-12T13:45:30.585Z

cve-icon NVD

Status : Modified

Published: 2025-03-11T21:15:45.053

Modified: 2026-04-23T15:26:29.170

Link: CVE-2025-28875

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T14:15:20Z

Weaknesses