– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-14799:
This vulnerability is an unauthenticated authorization bypass in the Brevo WordPress plugin, affecting versions up to and including 3.3.0. The flaw allows attackers to disconnect the Brevo integration, delete the API key, remove subscription forms, and reset plugin settings without authentication. The CVSS score of 6.5 reflects a medium severity impact on confidentiality, integrity, and availability.

Atomic Edge research identifies the root cause as PHP type juggling due to loose comparison (==) in the `mailin_disconnect` function within `/mailin/sendinblue.php`. The function at line 1834 compares the user-supplied `$user_connection_id` parameter against the stored `$installationId` using the `==` operator. This loose comparison allows a boolean `true` value to match any non-empty string or non-zero integer, bypassing the authorization check. The vulnerable REST API endpoint `/wp-json/mailin/v1/mailin_disconnect` was registered with a permission callback of `__return_true` at line 1792, granting public access.

Exploitation requires sending a DELETE request to the vulnerable REST endpoint with a boolean `true` value for the `id` parameter. Attackers can use the payload `id=true` in the request body or query string. The plugin’s `mailin_disconnect` function processes this parameter, and the loose comparison at line 1834 evaluates `true == $installationId` as true for any non-empty installation ID, granting unauthorized access to the disconnect functionality.

The patch in version 3.3.1 introduces multiple security improvements. It replaces the loose comparison (`==`) with strict comparison (`===`) at line 1836 in the `mailin_disconnect` function. The patch also restructures endpoint registration by moving the `/mailin_disconnect` route to a new `$authenticated_routes` array and introduces a `register_route_authenticated` method. This new method assigns a custom `validate_auth` permission callback that performs the same strict comparison check before the main callback executes. The `validate_auth` function also adds proper HTTP 401 status codes and error handling.

Successful exploitation allows unauthenticated attackers to disconnect the Brevo service integration completely. This action triggers the `delete_connection` method, which removes the API key, deletes all subscription forms, and resets plugin settings to default. The impact includes service disruption, loss of marketing functionality, and potential data loss for stored form configurations. Attackers could use this to disable email marketing capabilities or as part of a broader attack chain to weaken site security posture.