CVE-2025-14436 in Brevo for WooCommerce Plugin
Summary
by MITRE • 01/09/2026
The Brevo for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘user_connection_id’ parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/09/2026
The Breto for WooCommerce plugin represents a widely used integration tool that connects WordPress websites with Breto email marketing services, facilitating automated email campaigns and user engagement features. This plugin has been identified with a critical stored cross-site scripting vulnerability affecting versions up to and including 4.0.49, creating a significant security risk for WordPress administrators and end-users who rely on the plugin for their e-commerce operations. The vulnerability specifically resides within the handling of the 'user_connection_id' parameter, which is processed through the plugin's backend systems without proper sanitization measures. The flaw allows malicious actors to inject malicious JavaScript code into the plugin's data handling mechanisms, which then gets stored and executed whenever legitimate users access affected pages. This stored XSS vulnerability operates at the application layer and can be exploited by unauthenticated attackers who do not require valid credentials to compromise the system.
The technical nature of this vulnerability stems from inadequate input validation and output escaping mechanisms within the plugin's codebase. When the 'user_connection_id' parameter is submitted through various plugin interfaces, the system fails to properly sanitize the input data before storing it in the database. Additionally, the plugin does not implement proper output escaping when rendering this data back to users, creating an environment where malicious scripts can persist and execute in the context of the victim's browser. This vulnerability maps directly to CWE-79, which specifically addresses Cross-Site Scripting flaws in software applications, and represents a classic case of stored XSS where the malicious payload is permanently stored on the server rather than being reflected in a single request. The ATT&CK framework categorizes this as a technique under T1566.001 - Phishing, where attackers can use the vulnerability to deliver malicious payloads to unsuspecting users through compromised plugin interfaces.
The operational impact of this vulnerability extends beyond simple script injection, as it provides attackers with the capability to hijack user sessions, steal sensitive information, and potentially escalate privileges within the affected WordPress environment. Unauthenticated attackers can leverage this vulnerability to inject scripts that could redirect users to malicious websites, harvest cookies and session data, or even modify the functionality of the plugin itself. The persistence of the stored scripts means that every user who accesses pages containing the malicious content will be vulnerable to execution of the injected code, creating a wide-reaching attack surface that can affect multiple users simultaneously. This makes the vulnerability particularly dangerous in environments where multiple administrators or users interact with the plugin's interfaces, as the malicious code can be triggered by any legitimate user access. The risk is compounded by the fact that the vulnerability affects the plugin's core functionality, potentially allowing attackers to manipulate email campaigns, user data, and connection parameters that are critical for the plugin's operation.
Mitigation strategies for this vulnerability should prioritize immediate remediation through plugin version updates, as the vendor has likely released patches addressing the input sanitization and output escaping issues. System administrators should implement comprehensive monitoring of plugin-related activities and user access patterns to detect potential exploitation attempts. Network-level protections such as web application firewalls can provide additional defense-in-depth measures by filtering malicious payloads before they reach the vulnerable plugin interfaces. The implementation of Content Security Policy headers can help reduce the impact of successful XSS attacks by limiting script execution capabilities in the browser context. Regular security audits of WordPress plugins and themes should be conducted to identify similar vulnerabilities, with particular attention to input validation and output escaping mechanisms. Organizations should also consider implementing least privilege access controls for plugin management functions and establish incident response procedures specifically addressing XSS vulnerabilities in web applications. The vulnerability highlights the critical importance of proper input validation and output escaping practices in web application development, particularly for plugins that handle user-provided data in WordPress environments where multiple users may interact with the same systems.