Authorization Bypass Vulnerability in Brevo Plugin for WordPress
CVE-2025-14799

6.5MEDIUM

Key Information:

Vendor

WordPress

Vendor
CVE Published:
18 February 2026

What is CVE-2025-14799?

The Brevo plugin for WordPress has a vulnerability that allows unauthorized users to bypass authorization checks, enabling them to manipulate the plugin’s settings. This happens due to improper comparison logic in the REST API endpoint, which permits an attacker to send a boolean value that misleads the system into thinking they have valid permissions. As a result, attackers can sever the connection to Brevo, delete API keys, erase subscription forms, and alter the always sensitive plugin configurations. Administrators using this plugin are advised to update to the latest version to mitigate this flaw.

Affected Version(s)

Brevo – Email, SMS, Web Push, Chat, and more. 0 <= 3.3.0

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

ISMAILSHADOW
.