WP-Safety

Brevo – Email, SMS, Web Push, Chat, and more. Security & Risk Analysis

wordpress.org/plugins/mailin

Turn your WordPress site into a marketing powerhouse. Grow your audience, boost engagement, and drive more sales with Brevo.

100K active installs v3.3.4 PHP 5.6+ WP 4.4+ Updated Apr 10, 2026
brevoemail-marketingformsnewslettersendinblue
92
A · Safe
CVEs total9
Unpatched0
Last CVEFeb 17, 2026
Plugin page Download
Safety Verdict

Is Brevo – Email, SMS, Web Push, Chat, and more. Safe to Use in 2026?

Generally Safe

Score 92/100

Brevo – Email, SMS, Web Push, Chat, and more. has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

9 known CVEsLast CVE: Feb 17, 2026Updated 1mo ago
Risk Assessment

The 'mailin' plugin v3.3.2 presents a mixed security posture. While the majority of SQL queries utilize prepared statements and a significant portion of output is properly escaped, there are considerable concerns regarding its attack surface. A large number of AJAX handlers (20 out of 22) lack proper authentication checks, creating a wide entry point for potential unauthorized actions. The presence of dangerous functions like 'passthru' and 'system' within the code, even if not directly exploited in taint analysis, raises a flag for potential privilege escalation or arbitrary code execution if improperly handled.

The vulnerability history shows a significant number of past CVEs, including one high-severity and eight medium-severity issues. Although there are currently no unpatched vulnerabilities, the pattern of past issues, particularly those related to Type Confusion, CSRF, and XSS, suggests a recurring need for careful code review and patching. The last vulnerability being in 2026 is likely a typo and should be ignored for the current analysis, but the overall history indicates historical weaknesses. The single unsanitized path in the taint analysis, while not rated critical or high, warrants attention as it could be a vector for path traversal vulnerabilities.

In conclusion, the plugin exhibits some good coding practices like prepared statements and output escaping. However, the substantial unprotected AJAX endpoint attack surface, historical vulnerability trends, and the presence of dangerous functions introduce significant risks. Addressing the unprotected AJAX endpoints and ensuring robust input validation for all entry points are crucial for improving its security. The historical vulnerability data also suggests that ongoing vigilance and thorough security audits are necessary.

Key Concerns

  • Large number of unprotected AJAX handlers
  • Presence of dangerous functions (passthru, system)
  • Past high severity vulnerability
  • Multiple past medium severity vulnerabilities
  • Flow with unsanitized paths
  • Limited capability checks
Vulnerabilities
9 published

Brevo – Email, SMS, Web Push, Chat, and more. Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
2 CVEs in 2022
2022
1 CVE in 2023
2023
4 CVEs in 2024
2024
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
8

9 total CVEs

CVE-2025-14799medium · 6.5Access of Resource Using Incompatible Type ('Type Confusion')

Brevo - Email, SMS, Web Push, Chat, and more. <= 3.3.0 - Unauthenticated Authorization Bypass via Type Juggling

Feb 17, 2026 Patched in 3.3.1 (1d)
CVE-2024-8477medium · 4.3Cross-Site Request Forgery (CSRF)

Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) <= 3.1.87 - Cross-Site Request Forgery

Oct 9, 2024 Patched in 3.1.88 (1d)
CVE-2024-43287medium · 4.3Cross-Site Request Forgery (CSRF)

Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue <= 3.1.82 - Cross-Site Request Forgery

Aug 16, 2024 Patched in 3.1.83 (4d)
CVE-2024-35668medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue <= 3.1.77 - Reflected Cross-Site Scripting

Jun 3, 2024 Patched in 3.1.78 (5d)
WF-bf4cb79e-e62b-4991-8ee5-493dafe38b80-mailinmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) <= 3.1.77 - Reflected Cross-Site Scripting

Mar 22, 2024 Patched in 3.1.78 (1d)
CVE-2023-2472medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue <= 3.1.60 - Reflected Cross-Site Scripting via 'lang'

May 10, 2023 Patched in 3.1.61 (258d)
WF-86f7eb83-8483-4c6b-993e-ce11084241e8-mailinhigh · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue <= 3.1.39 - Cross-Site Scripting

Apr 8, 2022 Patched in 3.1.40 (655d)
CVE-2021-24874medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue <= 3.1.30 - Reflected Cross-Site Scripting via lang & pid Parameters

Jan 12, 2022 Patched in 3.1.31 (741d)
CVE-2021-24923medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue <= 3.1.24 - Reflected Cross-Site Scripting

Dec 23, 2021 Patched in 3.1.25 (761d)
Version History

Brevo – Email, SMS, Web Push, Chat, and more. Release Timeline

v3.3.4Current
v3.3.36 files changed
v3.3.23 files changed
v3.3.13 files changed
v3.3.01 CVE135 files changed
CVE-2025-14799
v3.2.91 CVE7 files changed
CVE-2025-14799
v3.2.81 CVE5 files changed
CVE-2025-14799
v3.2.71 CVE18 files changed
CVE-2025-14799
v3.2.61 CVE7 files changed
CVE-2025-14799
v3.2.51 CVE6 files changed
CVE-2025-14799
v3.2.41 CVE5 files changed
CVE-2025-14799
v3.2.31 CVE21 files changed
CVE-2025-14799
v3.2.21 CVE13 files changed
CVE-2025-14799
v3.2.11 CVE18 files changed
CVE-2025-14799
v3.2.01 CVE21 files changed
CVE-2025-14799
v3.1.981 CVE176 files changed
CVE-2025-14799
v3.1.971 CVE3 files changed
CVE-2025-14799
v3.1.961 CVE6 files changed
CVE-2025-14799
v3.1.951 CVE3 files changed
CVE-2025-14799
v3.1.941 CVE4 files changed
CVE-2025-14799
Code Analysis
Analyzed Mar 16, 2026

Brevo – Email, SMS, Web Push, Chat, and more. Code Analysis

Dangerous Functions
13
Raw SQL Queries
6
100 prepared
Unescaped Output
75
350 escaped
Nonce Checks
21
Capability Checks
4
File Operations
15
External Requests
5
Bundled Libraries
2

Dangerous Functions Found

passthrupassthru('composer install', $returnStatus);wonderpush-php-lib\build.php:16
passthrupassthru("./vendor/bin/phpunit -c $config", $returnStatus);wonderpush-php-lib\build.php:27
passthrupassthru('composer dump-autoload');wonderpush-php-lib\build.php:30
system$uncleanFiles = system('git status --porcelain');wonderpush-php-lib\release.php:13
passthrupassthru("$root/test");wonderpush-php-lib\release.php:25
passthrupassthru("git commit -m 'Release $newVersion' " . VERSION_FILENAME);wonderpush-php-lib\release.php:62
passthrupassthru("git tag -a -m 'Release $newVersion' v$newVersion");wonderpush-php-lib\release.php:63
passthrupassthru("$root/doc/generate");wonderpush-php-lib\release.php:73
passthrupassthru('git checkout gh-pages');wonderpush-php-lib\release.php:74
passthrupassthru("git add latest $newVersion");wonderpush-php-lib\release.php:79
passthrupassthru("git commit -m \"Documentation site for v$newVersion\"");wonderpush-php-lib\release.php:80
passthrupassthru('git checkout master');wonderpush-php-lib\release.php:81
passthrupassthru("git commit -m 'Prepare next release' " . VERSION_FILENAME);wonderpush-php-lib\release.php:108

Bundled Libraries

Select2jQuery

SQL Query Safety

94% prepared106 total queries

Output Escaping

82% escaped425 total outputs
Data Flows · Security
1 unsanitized

Data Flow Analysis

9 flows1 with unsanitized paths
sib_create_language_sidebar (sendinblue.php:1592)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
20 unprotected

Brevo – Email, SMS, Web Push, Chat, and more. Attack Surface

Entry Points23
Unprotected20

AJAX Handlers 22

authwp_ajax_sib_get_push_configurationinc\push-api.php:13
authwp_ajax_sib_update_push_configurationinc\push-api.php:14
authwp_ajax_sib_push_get_post_metadatainc\push-api.php:15
authwp_ajax_sib_push_set_push_activatedinc\push-api.php:16
authwp_ajax_sib_push_management_apiinc\push-api.php:17
authwp_ajax_sib_push_uploadinc\push-api.php:18
authwp_ajax_sib_push_force_create_cart_reminder_campaigninc\push-api.php:19
authwp_ajax_sib_validate_processsendinblue.php:308
authwp_ajax_sib_validate_masendinblue.php:309
authwp_ajax_sib_activate_email_changesendinblue.php:310
authwp_ajax_sib_sender_changesendinblue.php:311
authwp_ajax_sib_send_emailsendinblue.php:312
authwp_ajax_sib_remove_cachesendinblue.php:313
authwp_ajax_sib_sync_userssendinblue.php:314
authwp_ajax_sib_change_templatesendinblue.php:316
authwp_ajax_sib_get_listssendinblue.php:317
authwp_ajax_sib_get_templatessendinblue.php:318
authwp_ajax_sib_get_attributessendinblue.php:319
authwp_ajax_sib_update_form_htmlsendinblue.php:320
authwp_ajax_sib_copy_origin_formsendinblue.php:321
authwp_ajax_sib_get_country_prefixsendinblue.php:323
noprivwp_ajax_sib_get_country_prefixsendinblue.php:324

Shortcodes 1

[sibwp_form] sendinblue.php:341
WordPress Hooks 43
actionupdated_optioninc\push-api.php:20
filterthe_contentinc\push-public.php:10
actionwp_headinc\push-public.php:16
actionamp_post_template_body_openinc\push-public.php:28
filterampforwp_after_headerinc\push-public.php:33
filteramp_post_template_headinc\push-public.php:37
actionamp_post_template_cssinc\push-public.php:39
actionamp_post_template_footerinc\push-public.php:41
actionwoocommerce_before_single_productinc\push-woocommerce.php:44
actionwp_headinc\push-woocommerce.php:47
actionwoocommerce_add_to_cartinc\push-woocommerce.php:50
actionwoocommerce_remove_cart_iteminc\push-woocommerce.php:51
actionwoocommerce_cart_item_restoredinc\push-woocommerce.php:52
actionwoocommerce_thankyouinc\push-woocommerce.php:53
actionwoocommerce_order_status_changedinc\push-woocommerce.php:56
actionadmin_headinc\table-forms.php:32
actionplugins_loadedsendinblue.php:292
actionupgrader_process_completesendinblue.php:293
actionadmin_initsendinblue.php:294
actionadmin_menusendinblue.php:295
actionrest_api_initsendinblue.php:296
actionwp_print_scriptssendinblue.php:298
actionwp_enqueue_scriptssendinblue.php:299
actionwp_dashboard_setupsendinblue.php:300
actionadmin_initsendinblue.php:301
actionadmin_bar_menusendinblue.php:302
filterquery_varssendinblue.php:305
actionparse_requestsendinblue.php:306
actioninitsendinblue.php:326
actioninitsendinblue.php:327
actioninitsendinblue.php:331
actionwp_loginsendinblue.php:333
actionwidgets_initsendinblue.php:343
actionsib_language_sidebarsendinblue.php:367
actionadmin_noticessendinblue.php:411
actionwp_headsendinblue.php:472
actionadmin_action_sib_setting_subscriptionsendinblue.php:479
actionadmin_action_nopriv_sib_setting_subscriptionsendinblue.php:480
filtersafe_style_csssendinblue.php:1779
actionsendinblue_initsendinblue.php:1942
filterwidget_textsendinblue.php:1943
actionsave_postsendinblue.php:1944
actiontransition_post_statussendinblue.php:1945
Maintenance & Trust

Brevo – Email, SMS, Web Push, Chat, and more. Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 10, 2026
PHP min version5.6
Downloads7.2M

Community Trust

Rating82/100
Number of ratings283
Active installs100K
Alternatives

Brevo – Email, SMS, Web Push, Chat, and more. Alternatives

Newsletter – Send awesome emails from WordPress

Newsletter – Send awesome emails from WordPress

newsletter

A
89

An email marketing tool for your blog: subscription forms to create your lists with unlimited subscribers and newsletters.

200K 20 CVEs
Integration for Elementor forms – Sendinblue

Integration for Elementor forms – Sendinblue

integration-for-elementor-forms-sendinblue

A
100

Connect your Elementor Pro forms to Sendinblue/Brevo to easily capture and manage contacts from your website.

7K No CVEs
Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce

Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce

sender-net-automated-emails

A
99

Sender is an all-in-one email & SMS marketing platform designed keeping the challenges of ecommerce and small businesses in mind.

5K 2 CVEs
Constant Contact Forms by MailMunch

Constant Contact Forms by MailMunch

constant-contact-forms-by-mailmunch

A
98

The #1 Constant Contact plugin to get more email subscribers. Easily add Constant Contact sign-up forms as popup, embedded widget or sticky top bar.

3K 3 CVEs
Retainful – WooCommerce Abandoned Cart, Newsletters, Email Marketing, Signup Forms and Automation

Retainful – WooCommerce Abandoned Cart, Newsletters, Email Marketing, Signup Forms and Automation

retainful-next-order-coupon-for-woocommerce

A
100

WooCommerce abandoned cart recovery, Newsletters, Email campaigns, Subscription forms, Popups and Email Marketing Automation plugin

2K No CVEs
Developer Profile

Brevo – Email, SMS, Web Push, Chat, and more. Developer Profile

Brevo

2 plugins · 130K total installs

74
trust score
Avg Security Score
93/100
Avg Patch Time
206 days
View full developer profile
Detection Fingerprints

How We Detect Brevo – Email, SMS, Web Push, Chat, and more.

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mailin/css/style.css/wp-content/plugins/mailin/css/frontend.css/wp-content/plugins/mailin/css/form-builder.css/wp-content/plugins/mailin/css/wizard.css/wp-content/plugins/mailin/js/admin.js/wp-content/plugins/mailin/js/frontend.js/wp-content/plugins/mailin/js/form-builder.js/wp-content/plugins/mailin/js/wizard.js+5 more
Script Paths
https://cdn.brevo.com/js/sdk-loader.jshttps://cdn.brevo.com/js/sdk-staging-loader.js
Version Parameters
mailin/css/style.css?ver=mailin/css/frontend.css?ver=mailin/css/form-builder.css?ver=mailin/css/wizard.css?ver=mailin/js/admin.js?ver=mailin/js/frontend.js?ver=mailin/js/form-builder.js?ver=mailin/js/wizard.js?ver=mailin/js/admin-marketing.js?ver=mailin/js/admin-wizard.js?ver=mailin/js/admin-import.js?ver=mailin/js/mailin-affiliate.js?ver=mailin/js/customizer.js?ver=

HTML / DOM Fingerprints

CSS Classes
sib_marketing_automationsib_wizard_containersib_api_connection_formsib_form_buildersib_buttonsib_text_inputsib_textareasib_select+8 more
Data Attributes
data-requiredata-sitekeydata-error-callbackdata-theme
JS Globals
MailinSendinblueApiClientSendinblueAccountSendinblueSIB_Push_UtilsSIB_Push_Settings+19 more
REST Endpoints
/wp-json/mailin/v1
FAQ

Frequently Asked Questions about Brevo – Email, SMS, Web Push, Chat, and more.