CVE-2025-14799

Name of the Vulnerable Software and Affected Versions Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress versions up to and including 3.3.0

Description The Brevo plugin for WordPress has an authorization bypass issue caused by type juggling. This occurs because of the use of loose comparison (==) instead of strict comparison (===) when validating the installation ID. An unauthenticated attacker can exploit this by sending a boolean true value for the id parameter to the /wp-json/mailin/v1/mailin disconnect API endpoint. Successful exploitation allows attackers to disconnect the Brevo integration, delete the API key, remove all subscription forms, and reset plugin settings. The vulnerable parameter is id.

Recommendations Update the Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress to a version later than 3.3.0.