Listen to this Post
How the CVE Works:
CVE-2025-28874 is an authorization bypass flaw in BP Email Assign Templates (versions ≤1.6) where user-controlled keys manipulate access controls. Attackers craft malicious requests with manipulated parameters (e.g., user IDs or template keys) to escalate privileges or access unauthorized data. The system fails to validate these keys, allowing attackers to override security levels. The vulnerability stems from improper session/auth token checks, enabling unauthorized template assignments or deletions.
DailyCVE Form:
Platform: WordPress Plugins
Version: ≤1.6
Vulnerability: Auth Bypass
Severity: Critical
Date: 04/09/2025
What Undercode Say:
Exploit:
POST /wp-admin/admin-ajax.php HTTP/1.1 Host: target.com Action: bp_email_assign_template user_key=attacker_id&template_id=malicious_payload
Detection:
curl -X POST "http://target.com/wp-admin/admin-ajax.php" -d "action=bp_email_assign_template&user_key=1" | grep "Unauthorized"
Mitigation:
1. Patch to v1.7+.
2. Add server-side validation:
if (!current_user_can('edit_users')) {
wp_die('Unauthorized');
}
3. WAF Rule:
location ~ admin-ajax.php {
if ($args ~ "bp_email_assign_template") {
set $block 1;
}
if ($http_referer !~ "wp-admin") {
return 403;
}
}
Log Analysis:
grep "bp_email_assign_template" /var/log/nginx/access.log | awk '$9 == 200 {print $1}'
Impact:
- Unauthorized data leaks.
- Admin takeover via template injection.
References:
- Patchstack Advisory: PS-2025-28874
- CWE-639: Authorization Bypass via User-Controlled Key
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-28874
Extra Source Hub:
Undercode
