Authorization Bypass Vulnerability in Brevo Plugin for WordPress
CVE-2025-14799
6.5MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 18 February 2026
What is CVE-2025-14799?
The Brevo plugin for WordPress has a vulnerability that allows unauthorized users to bypass authorization checks, enabling them to manipulate the plugin’s settings. This happens due to improper comparison logic in the REST API endpoint, which permits an attacker to send a boolean value that misleads the system into thinking they have valid permissions. As a result, attackers can sever the connection to Brevo, delete API keys, erase subscription forms, and alter the always sensitive plugin configurations. Administrators using this plugin are advised to update to the latest version to mitigate this flaw.
Affected Version(s)
Brevo – Email, SMS, Web Push, Chat, and more. 0 <= 3.3.0