CVE-2025-66128 identifies a Missing Authorization vulnerability in the Brevo Sendinblue plugin for WooCommerce, specifically in the woocommerce-sendinblue-newsletter-subscription component. This vulnerability arises from incorrectly configured access control security levels, allowing remote attackers to bypass authorization checks and perform actions that should be restricted. The affected versions include all releases up to and including 4.0.49. The vulnerability is exploitable over the network without requiring authentication or user interaction, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact is limited to confidentiality, where unauthorized actors could potentially access or enumerate subscriber data or other sensitive information managed by the plugin. There is no impact on integrity or availability, meaning attackers cannot modify data or disrupt service. The vulnerability was reserved in November 2025 and published in December 2025, with no known exploits in the wild at the time of reporting. The lack of a patch link suggests that a fix may still be pending or recently released. This vulnerability is significant because Sendinblue is a widely used email marketing and newsletter subscription plugin integrated into WooCommerce, a popular e-commerce platform. Improper access control in such a plugin can lead to data leakage of customer email addresses and subscription statuses, which could be leveraged for phishing or spam campaigns. The technical root cause is an incorrect or missing authorization check in the plugin’s code, allowing unauthorized API or web requests to access or manipulate subscription data.

For European organizations, this vulnerability poses a risk primarily to the confidentiality of customer data managed through WooCommerce stores using the Sendinblue plugin. Exposure of subscriber lists or email addresses can lead to increased phishing attacks, spam, and reputational damage. While the vulnerability does not allow data modification or service disruption, the leakage of personal data could violate GDPR requirements, leading to regulatory penalties and loss of customer trust. E-commerce businesses relying on Sendinblue for marketing automation and customer engagement could see indirect impacts through compromised customer communications. The medium severity reflects the moderate risk: while exploitation is straightforward, the impact is limited to data exposure rather than full system compromise. Organizations with large customer bases or those in regulated sectors (e.g., finance, healthcare) may face higher consequences. Additionally, attackers could use exposed data as a foothold for further social engineering or targeted attacks. The absence of known exploits currently reduces immediate risk but does not eliminate the potential for future attacks once the vulnerability becomes widely known.

1. Monitor official Brevo/Sendinblue and WooCommerce channels for security patches addressing CVE-2025-66128 and apply updates immediately upon release. 2. Conduct a thorough audit of access control configurations within the Sendinblue plugin settings and WooCommerce integration to ensure no unauthorized access paths exist. 3. Restrict API and web endpoint access related to newsletter subscription management to trusted IP ranges or authenticated users where feasible. 4. Implement web application firewall (WAF) rules to detect and block suspicious requests targeting the Sendinblue plugin endpoints. 5. Review and limit the permissions of user roles within WooCommerce to minimize exposure from compromised accounts. 6. Monitor logs for unusual access patterns or attempts to exploit the subscription endpoints. 7. Educate staff about phishing risks stemming from potential data leaks and reinforce email security best practices. 8. Consider temporarily disabling the Sendinblue plugin if immediate patching is not possible and the risk is deemed unacceptable. 9. Ensure that data processing agreements and GDPR compliance measures are updated to reflect the risk and mitigation steps taken.