Executive Summary

CVE-2025-14799 is an authorization bypass vulnerability in the Brevo WordPress plugin (formerly Sendinblue) affecting all versions up to and including 3.3.0. The issue arises because the plugin uses loose comparison (==) instead of strict comparison (===) when validating the installation ID in the `/wp-json/mailin/v1/mailin_disconnect` REST API endpoint.

This loose comparison allows unauthenticated attackers to bypass authorization checks by sending a boolean `true` value for the `id` parameter. Due to PHP type juggling, this causes the check to incorrectly succeed.

As a result, attackers can disconnect the Brevo integration, delete the API key, remove all subscription forms, and reset plugin settings without proper authentication.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated attackers to perform sensitive actions on the Brevo plugin integration within a WordPress site.

• Attackers can disconnect the Brevo integration.
• They can delete the API key used by the plugin.
• They can remove all subscription forms managed by the plugin.
• They can reset the plugin settings to default.

These actions can disrupt email, SMS, web push, chat, and marketing automation services provided by the plugin, potentially causing loss of communication with users and interruption of marketing workflows.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unauthorized REST API requests to the `/wp-json/mailin/v1/mailin_disconnect` endpoint that include an `id` parameter with a boolean true value or other unexpected values that bypass authorization.'}, {'type': 'paragraph', 'content': 'You can use network monitoring or web server access logs to identify such requests. For example, using command-line tools like grep on your web server logs to find suspicious calls:'}, {'type': 'list_item', 'content': 'grep "/wp-json/mailin/v1/mailin_disconnect" /path/to/access.log'}, {'type': 'list_item', 'content': 'grep "id=true" /path/to/access.log'}, {'type': 'paragraph', 'content': 'Additionally, you can use curl commands to test if the endpoint is vulnerable by sending a request with the `id` parameter set to true and observing if the request succeeds without authentication:'}, {'type': 'list_item', 'content': 'curl -X POST "https://yourwordpresssite.com/wp-json/mailin/v1/mailin_disconnect" -d "id=true"'}, {'type': 'paragraph', 'content': 'If the request succeeds and disconnects the integration without proper authentication, the system is vulnerable.'}] [2]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the Brevo WordPress plugin to version 3.3.1 or later, where the vulnerability has been fixed by enforcing strict authentication checks on the REST API endpoints.

If updating immediately is not possible, consider restricting access to the vulnerable REST API endpoint `/wp-json/mailin/v1/mailin_disconnect` by implementing firewall rules or web server access controls to block unauthenticated requests.

• Apply a web application firewall (WAF) rule to block requests to `/wp-json/mailin/v1/mailin_disconnect` from unauthenticated sources.
• Restrict access to the REST API endpoint by IP address or require authentication at the web server level.

Also, monitor your system for any signs of exploitation, such as unexpected disconnections of the Brevo integration or deletion of API keys and subscription forms.

Useful 0 Not Useful 0