CVE-2025-66128

Sendinblue for WooCommerce <= 4.0.49 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
4.0.50
Patched in
31d
Time to patch

Description

The Sendinblue for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.0.49. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.0.49
PublishedDecember 14, 2025
Last updatedJanuary 13, 2026

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-66128 ## 1. Vulnerability Summary The **Brevo (formerly Sendinblue) for WooCommerce** plugin (versions <= 4.0.49) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, certain administrative functions are registered via `wp_…

Show full research plan

Exploitation Research Plan - CVE-2025-66128

1. Vulnerability Summary

The Brevo (formerly Sendinblue) for WooCommerce plugin (versions <= 4.0.49) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, certain administrative functions are registered via wp_ajax_nopriv_* hooks or lack current_user_can() checks within the function callbacks. This allows unauthenticated attackers to trigger sensitive actions, such as fetching contact lists or synchronizing user data with the Brevo API, which should be restricted to administrators.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: sib_get_lists (or sib_sync_users)
  • HTTP Method: POST
  • Authentication: None required (vulnerable via nopriv registration).
  • Preconditions: The plugin must be installed and activated. Most impact is realized if a Brevo API key is configured, as the vulnerable functions often interact with the Brevo API.

3. Code Flow

  1. Entry Point: The plugin registers AJAX handlers in its initialization phase (likely in includes/class-sib-ajax.php or admin/class-sib-admin.php).
  2. Hook Registration:
    add_action( 'wp_ajax_sib_get_lists', array( $this, 'ajax_sib_get_lists' ) );
    add_action( 'wp_ajax_nopriv_sib_get_lists', array( $this, 'ajax_sib_get_lists' ) );
    
  3. Vulnerable Function: The callback ajax_sib_get_lists (inferred) is executed.
  4. Missing Check: The function performs an API request to Brevo to retrieve mailing lists and potentially updates local options with the results. It lacks:
    • current_user_can( 'manage_options' ) (Authorization check)
    • check_ajax_referer( 'sib_nonce', 'security' ) (Proper nonce verification, or it uses a leaked nonce).
  5. Sink: The function returns JSON data containing private mailing list information or triggers an outbound synchronization process.

4. Nonce Acquisition Strategy

While the vulnerability is "unauthenticated," if the plugin performs a check_ajax_referer call, we must obtain a valid nonce. In this plugin, nonces are typically localized for the Brevo dashboard or subscription forms.

  1. Identify Shortcode: The plugin uses the shortcode [sibwp_form] to render subscription forms.
  2. Create Test Page:
    wp post create --post_type=page --post_title="Newsletter" --post_status=publish --post_content='[sibwp_form]'
    
  3. Navigate and Extract:
    • Navigate to the newly created page.
    • Use browser_eval to search for localized script data. The plugin typically uses sib_admin_obj or sib_vars.
    • JavaScript Variable (Inferred): window.sib_admin_obj?.sib_nonce or window.sib_vars?.nonce.
  4. Bypass Check: If wp_ajax_nopriv is registered without a nonce check (or die=false is used), the nonce may not even be required.

5. Exploitation Strategy

We will attempt to trigger the sib_get_lists action, which is a common administrative task in this plugin used to refresh list metadata.

  • Request URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Payload: action=sib_get_lists&security=[NONCE] (If nonce is required).
  • Alternative Payload: action=sib_sync_users (To trigger customer synchronization).

Steps:

  1. Attempt the request without a nonce to see if the check is entirely missing.
  2. If it fails with 403 or -1, perform the Nonce Acquisition Strategy above and retry.
  3. Analyze the JSON response.

6. Test Data Setup

  1. Install Plugin: wp plugin install woocommerce-sendinblue-newsletter-subscription --version=4.0.49 --activate
  2. Mock Configuration (Required for sink reachability):
    • The plugin usually requires an API key to perform list-related actions.
    • wp option update sib_api_key "xkeysib-test-key-123456789"
    • wp option update sib_status "on"
  3. Create Form Page: Place the shortcode on a page for possible nonce extraction.

7. Expected Results

  • Success: The server returns a 200 OK response with a JSON body.
  • Data Leakage: The JSON body contains list names, IDs, or synchronization status (e.g., {"status":"success","lists":[...]}).
  • Unauthorized Action: The server logs show an outbound request to the Brevo API triggered by an unauthenticated IP.

8. Verification Steps

  1. Verify via Logs: Check the Brevo plugin's log file (often found in wp-content/uploads/sib_log.txt or similar, depending on plugin settings) to see if a sync was initiated.
  2. Verify via Options: Check if the list cache has been updated in the database:
    wp option get sib_lists
    
  3. Verify Response Content: Ensure the HTTP response contains data that should only be visible to administrators.

9. Alternative Approaches

  • Action Brute-force: If sib_get_lists is not the vulnerable action, try:
    • sib_resync_lists
    • sib_check_api_key
    • sib_update_contact
  • Parameter Variation: Try sending the parameters via GET instead of POST if admin-ajax.php is configured to handle $_REQUEST.
  • Direct Hook Audit: If source files become available, search for add_action( 'wp_ajax_nopriv_ and prioritize handlers that lack current_user_can.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.