CVE-2025-24631
Published: 03 February 2025
Description
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Security Summary
CVE-2025-24631 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, in the BP Email Assign Templates WordPress plugin by shanebp (bp-email-assign-templates). This issue affects all versions of the plugin from n/a through 1.5 inclusive.
The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating network accessibility, low attack complexity, no required privileges, and user interaction such as clicking a malicious link. Remote attackers can exploit it by tricking authenticated or unauthenticated users into interacting with reflected malicious input on affected sites, achieving limited impacts on confidentiality, integrity, and availability within a changed security scope.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/bp-email-assign-templates/vulnerability/wordpress-bp-email-assign-templates-plugin-1-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve details this Reflected XSS vulnerability in BP Email Assign Templates version 1.5. Security practitioners should review the advisory for vulnerability specifics and recommended mitigations.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 exploitation; attack requires tricking users via malicious links (T1204.001).