Cross-Site Request Forgery Vulnerability Affects Brevo Plugin for WordPress
CVE-2024-8477

4.3MEDIUM

Key Information:

Vendor: Wordpress
Status: Newsletter, Smtp, Email Marketing And Subscribe Forms By Brevo (formely Sendinblue)
Vendor: CVE Published:; 10 October 2024

Summary

The Brevo Newsletter, SMTP, Email marketing, and Subscribe forms plugin for WordPress contains a vulnerability that allows for Cross-Site Request Forgery (CSRF) due to inadequate nonce validation within the Init() function. This security flaw enables unauthenticated attackers to potentially force a logged-in site administrator to log out of a Brevo connection by tricking them into performing an unintended action, such as clicking on a malicious link. This vulnerability affects all plugin versions up to and including 3.1.87, emphasizing the need for website administrators using this plugin to ensure they are operating on the latest version and implementing additional security measures.

Affected Version(s)

Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) * <= 3.1.87

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3165451/mail...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 10, 2024
Vulnerability Reserved
Sep 5, 2024

Credit

Joshua Chan