What the vulnerability does
01Description
The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulnerable to authorization bypass due to type juggling in all versions up to, and including, 3.3.0. This is due to the use of loose comparison (==) instead of strict comparison (===) when validating the installation ID in the `/wp-json/mailin/v1/mailin_disconnect` REST API endpoint. This makes it possible for unauthenticated attackers to disconnect the Brevo integration, delete the API key, remove all subscription forms, and reset plugin settings by sending a boolean `true` value for the `id` parameter, which bypasses the authorization check through PHP type juggling.
Explanation of Vulnerability in Simple Terms
02Summary
The Brevo plugin versions 3.3.0 and earlier contain a vulnerability that allows unauthenticated attackers to modify data or disrupt service availability. The vulnerability requires no user interaction and can be exploited over the network. No confidentiality impact has been identified, but integrity and availability of the affected component may be compromised.
What an attacker can do
03Attacker Capabilities
Modify plugin data or cause the plugin to become unavailable without authentication.
Potential impact on your site
04Site Impact
Site data integrity may be compromised and the plugin may become unavailable without warning.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
February 18, 2026
CVE published
April 8, 2026
Record updated