This vulnerability is a missing authorization flaw that enables attackers to exploit incorrectly configured access control settings within the Brevo Sendinblue for WooCommerce plugin. The flaw allows a user to gain access to privileged functions or data that should be restricted, potentially modifying newsletter subscription settings or other configuration values. The weakness is identified as CWE-862, which relates to missing or inadequate authorization for privileged functions.

Any WordPress site that installs the Brevo Sendinblue for WooCommerce plugin version 4.0.49 or earlier is affected. Sites running these versions of the plugin are at risk because the plugin’s internal checks for permission do not correctly enforce access restrictions.

The CVSS score of 5.3 indicates moderate severity, while the EPSS of < 1% suggests a low likelihood of widespread exploitation at present. The vulnerability is not listed in the CISA KEV catalog, so no confirmed public exploits are known. Attackers would first need to authenticate to the WordPress administrative interface or otherwise obtain a role that has access to the plugin’s backend. Once authenticated, the attacker could interact with the plugin’s settings or subscription management features without proper authorization checks, allowing data tampering or unauthorized configuration changes.