Sendinblue for WooCommerce <= 4.0.49 - Missing Authorization
Description
The Sendinblue for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 4.0.49. This makes it possible for unauthenticated attackers to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=4.0.49Source Code
WordPress.org SVN# Exploitation Research Plan - CVE-2025-66128 ## 1. Vulnerability Summary The **Brevo (formerly Sendinblue) for WooCommerce** plugin (versions <= 4.0.49) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, certain administrative functions are registered via `wp_…
Show full research plan
Exploitation Research Plan - CVE-2025-66128
1. Vulnerability Summary
The Brevo (formerly Sendinblue) for WooCommerce plugin (versions <= 4.0.49) contains a missing authorization vulnerability in its AJAX handling logic. Specifically, certain administrative functions are registered via wp_ajax_nopriv_* hooks or lack current_user_can() checks within the function callbacks. This allows unauthenticated attackers to trigger sensitive actions, such as fetching contact lists or synchronizing user data with the Brevo API, which should be restricted to administrators.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
sib_get_lists(orsib_sync_users) - HTTP Method:
POST - Authentication: None required (vulnerable via
noprivregistration). - Preconditions: The plugin must be installed and activated. Most impact is realized if a Brevo API key is configured, as the vulnerable functions often interact with the Brevo API.
3. Code Flow
- Entry Point: The plugin registers AJAX handlers in its initialization phase (likely in
includes/class-sib-ajax.phporadmin/class-sib-admin.php). - Hook Registration:
add_action( 'wp_ajax_sib_get_lists', array( $this, 'ajax_sib_get_lists' ) ); add_action( 'wp_ajax_nopriv_sib_get_lists', array( $this, 'ajax_sib_get_lists' ) ); - Vulnerable Function: The callback
ajax_sib_get_lists(inferred) is executed. - Missing Check: The function performs an API request to Brevo to retrieve mailing lists and potentially updates local options with the results. It lacks:
current_user_can( 'manage_options' )(Authorization check)check_ajax_referer( 'sib_nonce', 'security' )(Proper nonce verification, or it uses a leaked nonce).
- Sink: The function returns JSON data containing private mailing list information or triggers an outbound synchronization process.
4. Nonce Acquisition Strategy
While the vulnerability is "unauthenticated," if the plugin performs a check_ajax_referer call, we must obtain a valid nonce. In this plugin, nonces are typically localized for the Brevo dashboard or subscription forms.
- Identify Shortcode: The plugin uses the shortcode
[sibwp_form]to render subscription forms. - Create Test Page:
wp post create --post_type=page --post_title="Newsletter" --post_status=publish --post_content='[sibwp_form]' - Navigate and Extract:
- Navigate to the newly created page.
- Use
browser_evalto search for localized script data. The plugin typically usessib_admin_objorsib_vars. - JavaScript Variable (Inferred):
window.sib_admin_obj?.sib_nonceorwindow.sib_vars?.nonce.
- Bypass Check: If
wp_ajax_noprivis registered without a nonce check (ordie=falseis used), the nonce may not even be required.
5. Exploitation Strategy
We will attempt to trigger the sib_get_lists action, which is a common administrative task in this plugin used to refresh list metadata.
- Request URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Content-Type:
application/x-www-form-urlencoded - Payload:
action=sib_get_lists&security=[NONCE](If nonce is required). - Alternative Payload:
action=sib_sync_users(To trigger customer synchronization).
Steps:
- Attempt the request without a nonce to see if the check is entirely missing.
- If it fails with
403or-1, perform the Nonce Acquisition Strategy above and retry. - Analyze the JSON response.
6. Test Data Setup
- Install Plugin:
wp plugin install woocommerce-sendinblue-newsletter-subscription --version=4.0.49 --activate - Mock Configuration (Required for sink reachability):
- The plugin usually requires an API key to perform list-related actions.
wp option update sib_api_key "xkeysib-test-key-123456789"wp option update sib_status "on"
- Create Form Page: Place the shortcode on a page for possible nonce extraction.
7. Expected Results
- Success: The server returns a
200 OKresponse with a JSON body. - Data Leakage: The JSON body contains list names, IDs, or synchronization status (e.g.,
{"status":"success","lists":[...]}). - Unauthorized Action: The server logs show an outbound request to the Brevo API triggered by an unauthenticated IP.
8. Verification Steps
- Verify via Logs: Check the Brevo plugin's log file (often found in
wp-content/uploads/sib_log.txtor similar, depending on plugin settings) to see if a sync was initiated. - Verify via Options: Check if the list cache has been updated in the database:
wp option get sib_lists - Verify Response Content: Ensure the HTTP response contains data that should only be visible to administrators.
9. Alternative Approaches
- Action Brute-force: If
sib_get_listsis not the vulnerable action, try:sib_resync_listssib_check_api_keysib_update_contact
- Parameter Variation: Try sending the parameters via
GETinstead ofPOSTifadmin-ajax.phpis configured to handle$_REQUEST. - Direct Hook Audit: If source files become available, search for
add_action( 'wp_ajax_nopriv_and prioritize handlers that lackcurrent_user_can.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.