CVE-2025-14799 MEDIUM

CVE-2025-14799: Brevo - Email, SMS, Web Push, Chat, and more. <= 3.3.0 - Unauthenticated Authorization Bypass via Type Juggling

Vendor Neeraj_Slit
Product Brevo – Email, SMS, Web Push, Chat, and more.
Weakness CWE-843
Published February 18, 2026
Last update April 8, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

The Brevo - Email, SMS, Web Push, Chat, and more. plugin for WordPress is vulnerable to authorization bypass due to type juggling in all versions up to, and including, 3.3.0. This is due to the use of loose comparison (==) instead of strict comparison (===) when validating the installation ID in the `/wp-json/mailin/v1/mailin_disconnect` REST API endpoint. This makes it possible for unauthenticated attackers to disconnect the Brevo integration, delete the API key, remove all subscription forms, and reset plugin settings by sending a boolean `true` value for the `id` parameter, which bypasses the authorization check through PHP type juggling.

Explanation of Vulnerability in Simple Terms

02Summary

The Brevo plugin versions 3.3.0 and earlier contain a vulnerability that allows unauthenticated attackers to modify data or disrupt service availability. The vulnerability requires no user interaction and can be exploited over the network. No confidentiality impact has been identified, but integrity and availability of the affected component may be compromised.

What an attacker can do

03Attacker Capabilities

Modify plugin data or cause the plugin to become unavailable without authentication.

Potential impact on your site

04Site Impact

Site data integrity may be compromised and the plugin may become unavailable without warning.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

February 18, 2026 CVE published
April 8, 2026 Record updated