CVE-2025-23593: 
WordPress vulnerability analysis and mitigation

The EmailPress WordPress plugin version 1.0 and earlier contains a Reflected Cross-Site Scripting (XSS) vulnerability. This security issue was discovered on January 16, 2025, and was assigned CVE-2025-23593. The vulnerability affects all versions of EmailPress through version 1.0, with no known fix currently available (Patchstack, WPScan).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue due to insufficient input sanitization and output escaping in the EmailPress plugin. It has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L. The vulnerability is categorized under CWE-79: Improper Neutralization of Input During Web Page Generation (NVD).

This vulnerability allows unauthenticated attackers to inject arbitrary web scripts into pages that will execute when users perform specific actions, such as clicking on a malicious link. The successful exploitation could lead to theft of sensitive information, session hijacking, or other malicious actions performed in the context of the affected users' browsers (WPScan).

Currently, there is no official fix available for this vulnerability. Patchstack has issued a virtual patch to mitigate this issue by blocking potential attacks until an official fix becomes available. Website administrators are advised to either implement the virtual patch or consider removing the plugin until a security update is released (Patchstack).