Does Brevo for WooCommerce have any unpatched vulnerabilities?

No. All known vulnerabilities in Brevo for WooCommerce have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is Brevo for WooCommerce compatible with WordPress 6.9.4?

According to WordPress.org data, Brevo for WooCommerce 4.0.52 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

Is Brevo for WooCommerce compatible with PHP 5.6+?

Brevo for WooCommerce requires PHP 5.6 or higher. Most modern WordPress hosts run PHP 8.1 or 8.2. If you are on an older PHP version, consider upgrading before installing this plugin.

How often is Brevo for WooCommerce updated?

Brevo for WooCommerce was last updated on Mar 10, 2026. Frequent updates are generally a positive security signal.

What is Brevo for WooCommerce's security score?

Brevo for WooCommerce has a WP-Safety security score of 93/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

Brevo for WooCommerce Security & Risk Analysis

wordpress.org/plugins/woocommerce-sendinblue-newsletter-subscription

All-in-one WooCommerce email marketing, automation, SMS, and CRM by Brevo. Grow your store with powerful marketing tools.

30K active installs v4.0.52 PHP 5.6+ WP 4.3+ Updated Mar 10, 2026

email-marketingmarketing-automationnewslettersmswoocommerce

A · Safe

CVEs total3

Unpatched0

Last CVEJan 8, 2026

Plugin page Download

Safety Verdict

Is Brevo for WooCommerce Safe to Use in 2026?

Generally Safe

Score 93/100

Brevo for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Jan 8, 2026Updated 24d ago

Risk Assessment

The "woocommerce-sendinblue-newsletter-subscription" plugin v4.0.52 presents a mixed security posture. While it demonstrates some good practices, such as using prepared statements for all SQL queries and having no known unpatched vulnerabilities, there are significant areas of concern.

The static analysis reveals a considerable attack surface with 6 AJAX handlers, all of which lack authorization checks. This is a critical oversight, as it means any user, regardless of their logged-in status or capabilities, could potentially interact with these handlers and trigger unintended actions or expose sensitive information. The taint analysis shows 4 flows with unsanitized paths, although none reached critical or high severity, these still warrant attention as they could be precursors to vulnerabilities if combined with missing sanitization or authorization. The limited output escaping (47%) also suggests potential for Cross-Site Scripting (XSS) vulnerabilities.

The plugin's vulnerability history, with 3 past CVEs including high-severity Cross-Site Scripting, Missing Authorization, and Path Traversal, is a strong indicator of past security weaknesses. The fact that the last vulnerability was in 2026 suggests ongoing issues, even if they are currently patched. The pattern of past vulnerabilities highlights a recurring need for robust input validation, authorization checks, and secure handling of file paths. While the current version has no unpatched CVEs, the historical trend and the static analysis findings, particularly the unprotected AJAX handlers and unsanitized paths, indicate a need for caution.

Key Concerns

6 unprotected AJAX handlers
4 unsanitized paths in taint analysis
47% properly escaped output
Vulnerability history: 2 High, 1 Medium
Missing capability checks
1 nonce check for 6 AJAX handlers

Vulnerabilities

Brevo for WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2024

2024

1 CVE in 2025

2025

1 CVE in 2026

2026

Patched Has unpatched

Severity Breakdown

High

Medium

3 total CVEs

CVE-2025-14436high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Brevo for WooCommerce <= 4.0.49 - Unauthenticated Stored Cross-Site Scripting

Jan 8, 2026 Patched in 4.0.50 (1d)

CVE-2025-66128medium · 5.3Missing Authorization

Sendinblue for WooCommerce <= 4.0.49 - Missing Authorization

Dec 14, 2025 Patched in 4.0.50 (31d)

CVE-2024-32807high · 7.2Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Sendinblue for WooCommerce <= 4.0.17 - Authenticated (Editor+) Arbitrary File Download and Deletion

Apr 22, 2024 Patched in 4.0.18 (8d)

Code Analysis

Analyzed Mar 16, 2026

Brevo for WooCommerce Code Analysis

Dangerous Functions

Raw SQL Queries

4 prepared

Unescaped Output

21 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

SQL Query Safety

100% prepared4 total queries

Output Escaping

47% escaped45 total outputs

Data Flows

4 unsanitized

Data Flow Analysis

4 flows4 with unsanitized paths

get_file_contents (src\managers\api-manager.php:595)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

6 unprotected

Brevo for WooCommerce Attack Surface

Entry Points6

Unprotected6

AJAX Handlers 6

noprivwp_ajax_the_ajax_hooksrc\managers\api-manager.php:65

authwp_ajax_the_ajax_hooksrc\managers\api-manager.php:66

authwp_ajax_sib_back_in_stocksrc\managers\api-manager.php:75

noprivwp_ajax_sib_back_in_stocksrc\managers\api-manager.php:76

authwp_ajax_sib_get_back_in_stock_formsrc\managers\api-manager.php:78

noprivwp_ajax_sib_get_back_in_stock_formsrc\managers\api-manager.php:79

WordPress Hooks 38

actionadmin_menusrc\managers\admin-manager.php:33

actionrest_api_initsrc\managers\admin-manager.php:34

actionwp_headsrc\managers\admin-manager.php:35

actionwp_enqueue_scriptssrc\managers\admin-manager.php:36

actionwp_footersrc\managers\admin-manager.php:37

actionwp_loginsrc\managers\api-manager.php:49

actionwp_footersrc\managers\api-manager.php:50

filterwoocommerce_add_to_cart_fragmentssrc\managers\api-manager.php:51

actionwoocommerce_thankyousrc\managers\api-manager.php:52

actionwoocommerce_order_status_changedsrc\managers\api-manager.php:53

actionwoocommerce_order_status_refundedsrc\managers\api-manager.php:54

actionwoocommerce_order_note_addedsrc\managers\api-manager.php:55

actionwoocommerce_created_customersrc\managers\api-manager.php:56

actionsave_post_productsrc\managers\api-manager.php:57

actionbefore_delete_postsrc\managers\api-manager.php:58

actioncreated_termsrc\managers\api-manager.php:59

actionedit_termsrc\managers\api-manager.php:60

actiondelete_termsrc\managers\api-manager.php:61

actionwoocommerce_order_status_changedsrc\managers\api-manager.php:62

actionwoocommerce_new_ordersrc\managers\api-manager.php:63

actionwoocommerce_order_refundedsrc\managers\api-manager.php:64

filterwoocommerce_update_cart_action_cart_updatedsrc\managers\api-manager.php:67

filterwoocommerce_add_to_cartsrc\managers\api-manager.php:68

actionwoocommerce_cart_item_removedsrc\managers\api-manager.php:69

actionwoocommerce_before_single_product_summarysrc\managers\api-manager.php:70

actionwoocommerce_product_set_stock_statussrc\managers\api-manager.php:71

actionwoocommerce_variation_set_stock_statussrc\managers\api-manager.php:72

actionwoocommerce_reduce_order_stocksrc\managers\api-manager.php:73

actionwoocommerce_single_product_summarysrc\managers\api-manager.php:74

actionwoocommerce_after_variations_formsrc\managers\api-manager.php:77

actionwoocommerce_checkout_after_terms_and_conditionssrc\managers\api-manager.php:84

filterwoocommerce_checkout_fieldssrc\managers\api-manager.php:85

actionwoocommerce_checkout_update_order_metasrc\managers\api-manager.php:86

actionbefore_woocommerce_initwoocommerce-sendinblue.php:144

actionplugins_loadedwoocommerce-sendinblue.php:227

actioninitwoocommerce-sendinblue.php:228

actionupdate_to_sendinblue_new_pluginwoocommerce-sendinblue.php:229

actionadmin_noticeswoocommerce-sendinblue.php:234

Maintenance & Trust

Brevo for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedMar 10, 2026

PHP min version5.6

Downloads1.2M

Community Trust

Rating62/100

Number of ratings44

Active installs30K

Alternatives

Brevo for WooCommerce Alternatives

Email Marketing for WooCommerce by Omnisend

omnisend-connect

Email Marketing, Newsletter, Email Automation, Forms, Pop Up, SMS, Abandoned Cart made easy for WordPress & WooCommerce by Omnisend

60K 2 CVEs

WP Flashy Marketing Automation

wp-flashy-marketing-automation

Flashy is an all-in-one marketing platform for e-commerce websites to grow sales.

2K 1 CVE

Smart Marketing SMS and Newsletters Forms

smart-marketing-for-wp

E-commerce Automation Engine: Product sync, Track & Engage, and abandoned cart recovery via Email and SMS for WooCommerce stores.

1K 2 CVEs

MailPoet – Newsletters, Email Marketing, and Automation

mailpoet

Send beautiful newsletters from WordPress. Collect subscribers with signup forms, automate your emails for WooCommerce, blog post notifications & more

500K 3 CVEs

Newsletters, Email Marketing, SMS and Popups by Omnisend

omnisend

100

Newsletters, Email Marketing, Email Automation, Forms, Pop Up, SMS by Omnisend

100K No CVEs

Developer Profile

Brevo for WooCommerce Developer Profile

Brevo

2 plugins · 130K total installs

trust score

Avg Security Score

93/100

Avg Patch Time

206 days

View full developer profile

Detection Fingerprints

How We Detect Brevo for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/woocommerce-sendinblue-newsletter-subscription/assets/css/admin.css/wp-content/plugins/woocommerce-sendinblue-newsletter-subscription/assets/css/front.css/wp-content/plugins/woocommerce-sendinblue-newsletter-subscription/assets/js/admin.js/wp-content/plugins/woocommerce-sendinblue-newsletter-subscription/assets/js/front.js/wp-content/plugins/woocommerce-sendinblue-newsletter-subscription/assets/js/woo-cart-checkout.js

Script Paths

/wp-content/plugins/woocommerce-sendinblue-newsletter-subscription/assets/js/admin.js/wp-content/plugins/woocommerce-sendinblue-newsletter-subscription/assets/js/front.js/wp-content/plugins/woocommerce-sendinblue-newsletter-subscription/assets/js/woo-cart-checkout.js

Version Parameters

woocommerce-sendinblue-newsletter-subscription/assets/css/admin.css?ver=woocommerce-sendinblue-newsletter-subscription/assets/css/front.css?ver=woocommerce-sendinblue-newsletter-subscription/assets/js/admin.js?ver=woocommerce-sendinblue-newsletter-subscription/assets/js/front.js?ver=woocommerce-sendinblue-newsletter-subscription/assets/js/woo-cart-checkout.js?ver=

HTML / DOM Fingerprints

CSS Classes

sendinblue-checkout-formsib_form_wrappersib_form_field_wrappersib_checkbox_wrapper

HTML Comments

Sendinblue Checkout FormSendinblue Woocommerce Checkout Form

Data Attributes

data-sendinblue-integration-status

JS Globals

sib_checkout_form_params

FAQ