Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formerly Sendinblue) Vulnerability – Reflected Cross-Site Scripting – CVE-2024-35668 | WordPress Plugin Vulnerability Report

Q: What is the vulnerability in the Newsletter, SMTP, Email marketing, and Subscribe forms by Brevo plugin?

What is the vulnerability in the Newsletter, SMTP, Email marketing, and Subscribe forms by Brevo plugin? The vulnerability in the Newsletter, SMTP, Email marketing, and Subscribe forms by Brevo plugin is a Reflected Cross-Site Scripting (XSS) issue, identified as CVE-2024-35668. This vulnerability allows attackers to inject malicious scripts into web pages, potentially compromising website security.

Q: How does the vulnerability affect WordPress websites?

How does the vulnerability affect WordPress websites? The vulnerability affects WordPress websites that have the affected plugin installed and running, specifically versions up to and including 3.1.77. Attackers can exploit this vulnerability to execute arbitrary scripts on vulnerable websites, posing risks to user data and overall website security.

Q: Who discovered the vulnerability?

Who discovered the vulnerability? The vulnerability was discovered by Rafie Muhammad from Patchstack and publicly published on June 3, 2024.

Q: What is the CVSS score of the vulnerability?

What is the CVSS score of the vulnerability? The CVSS score of the vulnerability is 6.1, indicating a moderate severity level.

Q: What action should website owners take to mitigate the risk?

What action should website owners take to mitigate the risk? Website owners should immediately update the Newsletter, SMTP, Email marketing, and Subscribe forms by Brevo plugin to version 3.1.78 or later. This patched version addresses the vulnerability and helps prevent exploitation by attackers.

Q: How can website owners check if their site has been compromised?

How can website owners check if their site has been compromised? Website owners should monitor their websites for any unusual activity, unexpected redirects, or suspicious links, which may indicate a compromise.

Q: Are there any alternative plugins available?

Are there any alternative plugins available? While awaiting the patch, website owners may consider using alternative plugins that offer similar functionality to minimize exposure to vulnerabilities.

Q: Why is it crucial to stay updated with plugin patches?

Why is it crucial to stay updated with plugin patches? Staying updated with plugin patches is essential to maintaining the security of WordPress websites. Patched versions address known vulnerabilities and help prevent exploitation by attackers.

Q: How often should website owners update their plugins?

How often should website owners update their plugins? Website owners should regularly update all installed plugins to their latest versions to ensure ongoing protection against vulnerabilities and maintain website security.

Q: What is the importance of timely updates in safeguarding WordPress installations?

What is the importance of timely updates in safeguarding WordPress installations? Timely updates play a crucial role in safeguarding WordPress installations against security vulnerabilities. Promptly addressing vulnerabilities helps protect website data, maintain user trust, and mitigate the risk of cyber attacks.

By Your WP Guy | June 3, 2024

Plugin Name: Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formerly Sendinblue)

Key Information:

Software Type: Plugin
Software Slug: mailin
Software Status: Active
Software Author: neeraj_slit
Software Downloads: 4,539,519
Active Installs: 100,000
Last Updated: June 12, 2024
Patched Versions: 3.1.78
Affected Versions: <= 3.1.77

Vulnerability Details:

Name: Newsletter, SMTP, Email marketing and Subscribe forms by Sendinblue <= 3.1.77
Title: Reflected Cross-Site Scripting
Type:
CVE: CVE-2024-35668
CVSS Score: 6.1
Publicly Published: June 3, 2024
Researcher: Rafie Muhammad - Patchstack
Description: The plugin is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 3.1.77 due to insufficient input sanitization and output escaping. Attackers can exploit this to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Summary:

The Newsletter, SMTP, Email marketing and Subscribe forms by Brevo plugin for WordPress has a vulnerability in versions up to and including 3.1.77 that allows unauthenticated attackers to execute Reflected Cross-Site Scripting attacks. This vulnerability has been patched in version 3.1.78.

Detailed Overview:

The vulnerability, identified as CVE-2024-35668, results from inadequate input sanitization and output escaping, primarily affecting the handling of user-generated content. Attackers can exploit this vulnerability by tricking users into clicking on malicious links, leading to the execution of arbitrary scripts, compromising website security and potentially user data.

Advice for Users:

Immediate Action: Users are strongly encouraged to update the Newsletter, SMTP, Email marketing and Subscribe forms by Brevo plugin to version 3.1.78 or later to mitigate the risk of exploitation.
Check for Signs of Vulnerability: Website owners should monitor their websites for any unusual activity, unexpected redirects, or suspicious links, which may indicate a compromise.
Alternate Plugins: While awaiting the patch, consider using alternative plugins offering similar functionality to minimize exposure to vulnerabilities.
Stay Updated: Regularly update all installed plugins to their latest versions to ensure ongoing protection against vulnerabilities and maintain website security.

Conclusion:

The proactive response from the plugin developers in promptly addressing this vulnerability underscores the critical importance of timely updates in safeguarding WordPress installations. Users are strongly advised to ensure they are running version 3.1.78 or later to effectively secure their WordPress websites.

References:

Wordfence Report

Detailed Report:

Introduction

In today's digital landscape, maintaining robust website security is paramount. The recent discovery of a vulnerability in the Newsletter, SMTP, Email marketing, and Subscribe forms by Brevo plugin (formerly Sendinblue) underscores the critical importance of proactive security measures. This vulnerability, identified as a Reflected Cross-Site Scripting (CVE-2024-35668), poses a significant risk to WordPress websites, potentially compromising both security and user data integrity.

Plugin Overview

The Newsletter, SMTP, Email marketing, and Subscribe forms by Brevo plugin is a popular WordPress tool designed to streamline email marketing and subscription processes. Developed by neeraj_slit, the plugin boasts a substantial user base with over 100,000 active installs and millions of downloads. However, despite its widespread usage, the plugin recently fell victim to a critical vulnerability affecting versions up to and including 3.1.77.

Risks/Potential Impacts

The vulnerability exposes websites to various risks, including unauthorized data access, content manipulation, and potential reputational damage. Attackers could exploit the vulnerability to inject malicious scripts, leading to the compromise of sensitive information or the redirection of users to phishing sites. Furthermore, the exploitation of this vulnerability may result in regulatory compliance violations, leading to legal consequences for website owners.

Overview of Previous Vulnerabilities

The previous vulnerabilities identified in the plugin underscore the importance of maintaining vigilance and prompt updates. Each vulnerability represents a potential entry point for attackers, highlighting the ever-evolving nature of cybersecurity threats.

Conclusion

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.