CVE-2025-14799
📋 TL;DR
This vulnerability allows unauthenticated attackers to bypass authorization in the Brevo WordPress plugin using PHP type juggling. Attackers can disconnect Brevo integration, delete API keys, remove subscription forms, and reset plugin settings. All WordPress sites using Brevo plugin versions up to 3.3.0 are affected.
💻 Affected Systems
- Brevo - Email, SMS, Web Push, Chat, and more. WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of email marketing and communication capabilities, loss of subscriber data, and potential business impact from broken integrations.
Likely Case
Attackers disconnect Brevo integration, causing email marketing disruption and requiring reconfiguration of the plugin.
If Mitigated
Minimal impact if plugin is not actively used or if proper network controls prevent unauthorized API access.
🎯 Exploit Status
Simple HTTP POST request with boolean parameter triggers the vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.3.1
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3448639/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Brevo plugin. 4. Click 'Update Now' to version 3.3.1 or later. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Disable vulnerable REST endpoint
allBlock access to the vulnerable /wp-json/mailin/v1/mailin_disconnect endpoint
# Add to .htaccess for Apache:
RewriteRule ^wp-json/mailin/v1/mailin_disconnect - [F,L]
# Add to nginx config:
location ~* ^/wp-json/mailin/v1/mailin_disconnect { deny all; }
🧯 If You Can't Patch
- Temporarily disable the Brevo plugin until patching is possible
- Implement WAF rules to block requests containing boolean 'true' values for the 'id' parameter
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Brevo plugin version. If version is 3.3.0 or lower, you are vulnerable.Check Version:
wp plugin list --name=brevo --field=versionVerify Fix Applied:
After updating, verify plugin version shows 3.3.1 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /wp-json/mailin/v1/mailin_disconnect
- Requests with parameter 'id=true' or 'id=1'
Network Indicators:
- POST requests to vulnerable endpoint from unauthorized IPs
- Unusual traffic patterns to WordPress REST API
SIEM Query:
source="web_logs" AND uri_path="/wp-json/mailin/v1/mailin_disconnect" AND http_method="POST"🔗 References
- https://plugins.trac.wordpress.org/browser/mailin/tags/3.2.9/sendinblue.php#L1795
- https://plugins.trac.wordpress.org/browser/mailin/tags/3.2.9/sendinblue.php#L1833
- https://plugins.trac.wordpress.org/changeset/3448639/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f29e5b19-2505-4b02-92c7-071833de6bc2?source=cve
