CVE-2024-8477

📊 4.3 MEDIUM⚡ 0.0%🎯 0 exploits

📅 Published Oct 10, 2024

📋 Status: Analyzed

The Newsletter, SMTP, Email marketing and Subscribe forms by Brevo (formely Sendinblue) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.1.87. This is due to missing or incorrect nonce validation on the Init() function. This makes it possible for unauthenticated attackers to log out of a Brevo connection via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVSS v3.1 • [email protected]

🎯 Affected Products & Systems

1 product configurations affected

Filter by type:

Type	Vendor	Product	Version Range	Status	CPE String
📱App	brevo	newsletter\, smtp\, email marketing and subscribe	< 3.1.88 Target SW: wordpress	Vulnerable	cpe:2.3:a:brevo:newsletter\,_smtp\,_email_marketing_and_subscribe::::::wordpress::*

📱

brevo / newsletter\, smtp\, email marketing and subscribe

Application

Vulnerable

Version: < 3.1.88

Target SW: wordpress

CPE:

cpe:2.3:a:brevo:newsletter\,_smtp\,_email_marketing_and_subscribe:*:*:*:*:*:wordpress:*:*

Metrics

4.3 MEDIUMCVSS v3.1[email protected]

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Attack Vector:

NETWORK

Complexity:

LOW

Privileges:

NONE

User Interaction:

REQUIRED

Confidentiality:

NONE

Integrity:

LOW

Availability:

NONE

Scope:

UNCHANGED

🔍 Technical Details

Analysis Status

Analyzed

CVSS Details

4.3 (MEDIUM)v3.1

Source: [email protected]

EPSS Details

0.0% (Minimal)12.2th percentile

Last updated: Oct 31, 2025

Exploitation probability within 30 days

Published Date

Oct 10, 2024 (1 year ago)

Last Modified

Oct 15, 2024 (1 year ago)

Security Weaknesses2

CWE-352

References3

NVDpatchadvisory