Description
The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulnerable to authorization bypass due to type juggling in all versions up to, and including, 3.3.0. This is due to the use of loose comparison (==) instead of strict comparison (===) when validating the installation ID in the `/wp-json/mailin/v1/mailin_disconnect` REST API endpoint. This makes it possible for unauthenticated attackers to disconnect the Brevo integration, delete the API key, remove all subscription forms, and reset plugin settings by sending a boolean `true` value for the `id` parameter, which bypasses the authorization check through PHP type juggling.
Published: 2026-02-18
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass leading to plugin and API key removal
Action: Immediate Patch
AI Analysis

Impact

The Brevo plugin for WordPress contains an authorization bypass flaw caused by PHP type juggling when validating the installation ID on the /wp-json/mailin/v1/mailin_disconnect REST endpoint. The code uses a loose comparison (==) instead of a strict comparison (===), so an unauthenticated user can supply the boolean true value for the id parameter. This bypasses the authorization check, allowing the attacker to disconnect the Brevo integration, delete the API key, remove all subscription forms, and reset plugin settings. The weakness is classified as CWE-843: Type Confusion. The impact includes loss of access to the mail service for the site and disruption of automated email, SMS, push, and chat notifications.

Affected Systems

The vulnerability affects all versions of the Brevo – Email, SMS, Web Push, Chat, and more. plugin for WordPress up to and including version 3.3.0. No specific WordPress core or other plugin version constraints are listed.

Risk and Exploitability

The CVSS score is 6.5, indicating a medium severity. The EPSS score is less than 1%, meaning exploitation is considered unlikely at present. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote, via the publicly exposed REST API endpoint. An attacker does not need authentication or any other privileges to trigger the bypass, so the risk remains significant in environments that expose the endpoint to the internet.

Generated by OpenCVE AI on April 21, 2026 at 00:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Brevo plugin to the latest available version that includes the fix
  • After updating, regenerate all Brevo API keys to prevent any accidental reuse of compromised credentials
  • Restrict or block the /wp-json/mailin/v1/mailin_disconnect REST endpoint through firewall or server configuration to reduce the attack surface

Generated by OpenCVE AI on April 21, 2026 at 00:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Neeraj Slit
Neeraj Slit brevo – Email, Sms, Web Push, Chat, And More.
Wordpress
Wordpress wordpress
Vendors & Products Neeraj Slit
Neeraj Slit brevo – Email, Sms, Web Push, Chat, And More.
Wordpress
Wordpress wordpress

Wed, 18 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:30:00 +0000

Type Values Removed Values Added
Description The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulnerable to authorization bypass due to type juggling in all versions up to, and including, 3.3.0. This is due to the use of loose comparison (==) instead of strict comparison (===) when validating the installation ID in the `/wp-json/mailin/v1/mailin_disconnect` REST API endpoint. This makes it possible for unauthenticated attackers to disconnect the Brevo integration, delete the API key, remove all subscription forms, and reset plugin settings by sending a boolean `true` value for the `id` parameter, which bypasses the authorization check through PHP type juggling.
Title Brevo - Email, SMS, Web Push, Chat, and more. <= 3.3.0 - Unauthenticated Authorization Bypass via Type Juggling
Weaknesses CWE-843
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Neeraj Slit Brevo – Email, Sms, Web Push, Chat, And More.
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:40.367Z

Reserved: 2025-12-16T19:50:41.434Z

Link: CVE-2025-14799

cve-icon Vulnrichment

Updated: 2026-02-18T20:20:39.706Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T12:15:58.573

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14799

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:15:16Z

Weaknesses