CVE-2025-23956

Vulnerability

Overview

The WP Easy Post Mailer plugin for WordPress (versions up to and including 0.64) contains a reflected Cross-Site Scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw allows an attacker to inject arbitrary HTML and JavaScript into the response of a vulnerable page.

Exploitation

Details

Exploitation requires a privileged user (such as an administrator) to perform an action, such as clicking a malicious link or visiting a specially crafted page [1]. The attacker does not need authentication but must trick a logged-in user into interacting with the crafted request. This makes the vulnerability suitable for mass-exploit campaigns targeting thousands of websites regardless of their size or popularity [1].

Impact

Successful exploitation enables the attacker to inject malicious scripts that can execute in the context of the victim's browser. This can lead to redirects, display of advertisements, theft of session cookies, or other harmful actions when other users visit the affected site [1].

Mitigation

Users are strongly advised to update the plugin to a patched version as soon as one becomes available. In the interim, a mitigation rule from Patchstack can block attacks until an official fix is applied [1]. Given the active exploitation risk, immediate action is recommended.