CVE-2025-22802: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2025-22802 affects the Email Templates Customizer for WordPress (YeeMail) plugin versions 2.1.4 and below. This security issue was discovered by researcher SavPhill and was publicly disclosed on January 7, 2025. The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue that affects authenticated users with Contributor privileges or higher (Patchstack).

The vulnerability has been assigned a CVSS score of 6.5 (Medium severity). The technical assessment indicates this is an Injection vulnerability, specifically falling under the OWASP Top 10 category A3: Injection. The vulnerability type is classified as a Cross-Site Scripting (XSS) issue that requires authenticated access with Contributor-level privileges or higher (Patchstack).

The vulnerability could allow malicious actors to inject malicious scripts, including redirects, advertisements, and other HTML payloads into the website. These injected scripts would be executed when guests visit the affected site. The impact is considered to have a low severity and is deemed unlikely to be exploited (Patchstack).

The vulnerability has been patched in version 2.1.5 of the Email Templates Customizer for WordPress plugin. Users are advised to update to version 2.1.5 or later to remove the vulnerability. Patchstack users have the option to enable auto-update for vulnerable plugins (Patchstack).