A high-severity vulnerability has been identified in the Brevo for WooCommerce plugin for WordPress. This flaw allows an attacker to inject malicious code into a website, which is then stored on the server. When an administrator or user visits the affected page, this code can execute, potentially leading to the theft of sensitive data, account takeover, or website defacement.

The vulnerability is a Stored Cross-Site Scripting (XSS) flaw. It exists due to insufficient input sanitization and output escaping on the ‘user_connection_id’ parameter within the Brevo for WooCommerce plugin. An authenticated attacker can inject a malicious script into this parameter, which is then stored in the website's database. The malicious script will execute in the browser of any user, including administrators, who views the page where this stored data is displayed, leading to a compromise of their session or other client-side attacks.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could lead to significant business consequences, including the compromise of administrator and customer accounts. An attacker could hijack an administrator's session to gain full control of the WordPress site, steal sensitive customer data, deface the website, or redirect users to malicious sites, causing severe reputational damage and potential financial loss.

Immediate Action: Immediately update the Brevo for WooCommerce plugin to the latest version, which contains the patch for this vulnerability. Following the update, review all WordPress security settings and user roles to ensure they follow the principle of least privilege. Remove any plugins or themes that are no longer actively used to reduce the overall attack surface of the site.

Proactive Monitoring: Monitor web server access logs for unusual POST requests containing script tags or HTML special characters targeting the vulnerable ‘user_connection_id’ parameter. Implement a file integrity monitoring system to detect unauthorized changes to plugin files. Review audit logs for unexpected administrative actions, such as new user creation or privilege escalation.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block cross-site scripting attacks. Implementing a strict Content Security Policy (CSP) can also help mitigate the risk by preventing the execution of untrusted inline scripts.

Public Exploit Available: false

Given the high-severity CVSS score of 7.2 and the potential for complete site compromise, we strongly recommend that organizations prioritize the immediate remediation of this vulnerability. Although this CVE is not currently on the CISA KEV list, the risk to business operations and data security is significant. All instances of the Brevo for WooCommerce plugin should be updated to the latest patched version without delay to prevent exploitation.