WordPress Plugin Vulnerabilities

Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) < 3.1.88 - Cross-Site Request Forgery

Description

The Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.87. This is due to missing or incorrect nonce validation on the Init() function. This makes it possible for unauthenticated attackers to log out of a Brevo connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
mailin
Fixed in 3.1.88

References

CVE
CVE-2024-8477
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/e070b422-9036-4362-832b-43fd4838f394

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Joshua Chan
Verified
No
WPVDB ID
56186e2f-de17-4fde-b51c-1837a7a25f00

Timeline

Publicly Published
2024-10-09 (about 1 year ago)
Added
2024-10-09 (about 1 year ago)
Last Updated
2024-10-10 (about 1 year ago)

Other

Published
Title
Published
2021-10-04
Title
BP Better Messages < 1.9.9.41 - Multiple CSRF
Published
2023-09-25
Title
BEAR for WordPress < 1.1.4 - Arbitrary Settings Update via CSRF
Published
2025-12-31
Title
SensitiveTagCloud <= 1.4.1 - Cross-Site Request Forgery
Published
2018-12-05
Title
Redirection <= 3.6.2 - Cross-Site Request Forgery (CSRF)
Published
2022-03-29
Title
DW Question & Answer Pro < 1.3.7 - Multiple CSRF