PatchSiren cyber security CVE debrief
CVE-2026-15297 neeraj_slit CVE debrief
The Brevo plugin for WordPress, used for newsletter, SMTP, email marketing, and subscribe forms, is vulnerable to Reflected Cross-Site Scripting (XSS). This vulnerability exists in all versions up to and including 3.1.77 and is caused by insufficient input sanitization and output escaping in the page parameter. An attacker can exploit this vulnerability by injecting arbitrary web scripts into pages, which can be executed when a user interacts with a crafted link. This vulnerability allows unauthenticated attackers to potentially take control of user sessions or deface websites. The CVSS score for this vulnerability is 6.1, indicating a medium severity level. Administrators of WordPress sites using the Brevo plugin, especially those allowing user interaction or public access, should prioritize updating the plugin to mitigate potential XSS attacks.
- Vendor
- neeraj_slit
- Product
- Brevo – Email, SMS, Web Push, Chat, and more.
- CVSS
- MEDIUM 6.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Administrators of WordPress sites using the Brevo plugin, especially those allowing user interaction or public access, should prioritize updating the plugin to mitigate potential XSS attacks. This includes site owners, IT personnel, and security teams responsible for maintaining WordPress installations with the Brevo plugin. Additionally, users who interact with pages that may be affected by this vulnerability should be cautious when clicking on links from untrusted sources.
Technical summary
The vulnerability exists in the Brevo plugin for WordPress due to insufficient input sanitization and output escaping in the page parameter. This allows an attacker to inject arbitrary web scripts, which can be executed when a user interacts with the crafted link. The vulnerability is classified as Reflected Cross-Site Scripting (XSS) and has a CVSS score of 6.1, indicating a medium severity level. The affected versions of the plugin are up to and including 3.1.77. To exploit this vulnerability, an attacker would need to trick a user into performing an action such as clicking on a link.
Defensive priority
Medium priority should be given to updating the Brevo plugin to version beyond 3.1.77 to prevent potential exploitation of this vulnerability. Additional measures include implementing monitoring for suspicious activity and educating users about the risks associated with this vulnerability.
Recommended defensive actions
- Update the Brevo plugin to a version beyond 3.1.77.
- Implement additional monitoring for suspicious page parameter usage.
- Educate users about the risks of clicking on unverified links.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
Evidence notes
The CVE record was published on 2026-07-10T05:16:32.977Z and was last modified on 2026-07-10T15:43:30.330Z. The NVD entry is currently Deferred. The Brevo plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the page parameter in all versions up to, and including, 3.1.77 due to insufficient input sanitization and output escaping. This vulnerability allows unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. The CVSS score for this vulnerability is 6.1, indicating a medium severity level. The source of this information is the NVD entry for CVE-2026-15297.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T05:16:32.977Z and has not been modified since then. The NVD entry is currently Deferred.