CVE-2025-39539

The WP Email Delivery plugin for WordPress versions 1.20.11.23 and earlier contains a reflected cross-site scripting (XSS) vulnerability due to improper neutralization of user input during web page generation [1]. This flaw occurs when the plugin fails to sanitize or escape output, enabling an attacker to inject arbitrary HTML and JavaScript code.

Exploitation requires user interaction; a victim must click a malicious link or visit a specially crafted URL [1]. The attack can be initiated by any unauthenticated user, but successful exploitation depends on a privileged user performing an action such as clicking a link or submitting a form [1]. This makes the vulnerability suitable for mass-exploit campaigns targeting thousands of WordPress sites.

If exploited, an attacker can inject malicious scripts that execute in the context of the victim's browser, potentially leading to redirects, display of advertisements, or theft of sensitive information [1]. The CVSS v3 score is 7.1 (High), reflecting the moderate impact and user interaction requirements.

As of the publication date, no official patch is available; however, Patchstack has released a mitigation rule to block attacks until an update can be safely applied [1]. Users are advised to update the plugin immediately when a fixed version becomes available or contact their hosting provider for assistance.