CVE-2026-15297 in Newsletter, SMTP, Email marketing and Subscribe Forms Plugininfo

Summary

by MITRE • 07/10/2026

The Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the page parameter in all versions up to, and including, 3.1.77 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability identified in the Brevo plugin for WordPress represents a critical reflected cross-site scripting weakness that affects versions up to and including 3.1.77. This issue stems from inadequate input validation and output escaping mechanisms within the plugin's handling of the page parameter, creating an exploitable vector that allows malicious actors to inject arbitrary JavaScript code into web pages. The flaw operates by reflecting attacker-controlled data back to users without proper sanitization, enabling execution of malicious scripts in the context of the victim's browser session.

The technical implementation of this vulnerability occurs when the plugin processes user-supplied input through the page parameter without adequate filtering or encoding. This failure to properly sanitize incoming data creates opportunities for attackers to craft malicious URLs that, when clicked by unsuspecting users, execute injected scripts within the target website's context. The reflected nature of the vulnerability means that the malicious payload is reflected off the web server rather than being stored, making it particularly dangerous as it requires no persistent storage and can be delivered through various attack vectors including phishing emails or compromised links.

From an operational standpoint, this vulnerability poses significant risks to WordPress sites utilizing the Brevo plugin, as it enables unauthenticated attackers to potentially perform actions on behalf of users with the privileges of those users. The impact extends beyond simple script execution to include potential session hijacking, data theft, and further exploitation of the compromised system. Attackers could leverage this vulnerability to redirect users to malicious websites, steal cookies and session information, or inject additional malicious code that persists through user interactions with the vulnerable site.

The vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws in web applications, and maps to attack patterns within the MITRE ATT&CK framework under the technique of Web Application Attack. Organizations using affected versions should immediately implement mitigations including updating to the latest plugin version, implementing proper input validation mechanisms, and deploying web application firewalls that can detect and block malicious script injection attempts. Additionally, administrators should conduct thorough security audits of all installed plugins to identify similar vulnerabilities and ensure comprehensive protection against reflected XSS attacks across their entire WordPress ecosystem.

The exploitation of this vulnerability requires minimal technical expertise from attackers, making it particularly dangerous as it can be leveraged by threat actors with basic knowledge of web application security. Regular monitoring of plugin updates, implementation of security headers including Content Security Policy directives, and user education regarding suspicious link clicking behaviors remain essential defensive measures against such attacks that can compromise entire website infrastructures through seemingly minor input validation flaws.

Responsible

Wordfence

Reservation

07/09/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!