{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14339", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-09T14:06:01.519Z", "datePublished": "2026-02-21T09:27:59.721Z", "dateUpdated": "2026-04-08T16:37:15.300Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:15.300Z"}, "affected": [{"vendor": "wedevs", "product": "weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.0.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to the forms endpoint."}], "title": "weMail <= 2.0.7 - Missing Authorization to Unauthenticated Form Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/16dd90c3-3962-4c8e-993f-b6824c48ab76?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms.php#L124"}, {"url": "https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/FrontEnd/Scripts.php#L32"}, {"url": "https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms.php#L222"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3442404%40wemail%2Ftrunk&old=3423372%40wemail%2Ftrunk&sfp_email=&sfph_mail=#file1"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "timeline": [{"time": "2025-12-24T15:30:57.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-20T20:58:51.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-25T21:18:32.216173Z", "id": "CVE-2025-14339", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:18:46.447Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14339", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-25T21:18:32.216173Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T21:18:41.520Z"}}], "cna": {"title": "weMail <= 2.0.7 - Missing Authorization to Unauthenticated Form Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"}}], "affected": [{"vendor": "wedevs", "product": "weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.0.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-24T15:30:57.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-20T20:58:51.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/16dd90c3-3962-4c8e-993f-b6824c48ab76?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms.php#L124"}, {"url": "https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/FrontEnd/Scripts.php#L32"}, {"url": "https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms.php#L222"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3442404%40wemail%2Ftrunk&old=3423372%40wemail%2Ftrunk&sfp_email=&sfph_mail=#file1"}], "descriptions": [{"lang": "en", "value": "The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to the forms endpoint."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:37:15.300Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14339", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:37:15.300Z", "dateReserved": "2025-12-09T14:06:01.519Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-21T09:27:59.721Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to the forms endpoint."}, {"lang": "es", "value": "El plugin weMail - Email Marketing, Generaci\u00f3n de Leads, Formularios de Suscripci\u00f3n, Boletines por Correo Electr\u00f3nico, Pruebas A/B y Automatizaci\u00f3n para WordPress es vulnerable a la eliminaci\u00f3n no autorizada de formularios en todas las versiones hasta la 2.0.7, inclusive. Esto se debe a que la funci\u00f3n de callback 'Forms::permission()' solo valida el encabezado 'X-WP-Nonce' sin verificar las capacidades del usuario. Dado que el nonce REST se expone a visitantes no autenticados a trav\u00e9s del objeto JavaScript 'weMail' en p\u00e1ginas con formularios de weMail, cualquier usuario no autenticado puede eliminar permanentemente todos los formularios de weMail extrayendo el nonce del c\u00f3digo fuente de la p\u00e1gina y enviando una solicitud DELETE al endpoint de formularios."}], "id": "CVE-2025-14339", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-21T10:16:11.133", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/FrontEnd/Scripts.php#L32"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms.php#L124"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms.php#L222"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3442404%40wemail%2Ftrunk&old=3423372%40wemail%2Ftrunk&sfp_email=&sfph_mail=#file1"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/16dd90c3-3962-4c8e-993f-b6824c48ab76?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "weMail: Email Marketing, Email Automation, Newsletters, Subscribers & eCommerce Email Optins", "source": "cna", "vendor": "wedevs"}, "product": "wemail:_email_marketing,_email_automation,_newsletters,_subscribers_&_ecommerce_email_optins", "vendor": "wedevs"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-22T19:54:17.738604+00:00", "value": {"mitigation_remediation": ["Upgrade the weMail plugin to a release newer than 2.0.7 that includes the authorization fix.", "If an immediate upgrade is not possible, temporarily deactivate or delete the weMail plugin to prevent unauthenticated deletion requests.", "After the update or deactivation, verify that no REST endpoint permits form deletion without proper user permissions and confirm that the weMail JavaScript is not exposing a nonce to public pages."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized form deletion causing irreversible loss of marketing configuration and subscriber data"}, "threat_synthesis": {"affected_systems": "WordPress sites running the weMail plugin version 2.0.7 or older. The plugin package provides email marketing, lead generation, opt\u2011in forms, newsletters, A/B testing, and automation functionality.", "description_and_impact": "The weMail WordPress plugin allows permanently deleting all stored forms through its REST endpoint. The flaw exists in all releases up to and including 2.0.7 because the endpoint checks only a nonce header rather than authenticating the user\u2019s permissions. An unauthenticated user can obtain that nonce from the weMail JavaScript object rendered on any page that contains a form, then construct a DELETE request to remove every form. This results in loss of form definitions, configured opt\u2011in settings, and associated marketing assets, severely impacting the site\u2019s email campaigns.", "risk_and_exploitability": "The CVSS base score is 6.5, categorising the flaw as moderate. The EPSS score is below 1\u202f%, and the vulnerability has not yet been added to CISA\u2019s KEV catalog, indicating a low current exploitation probability. Nevertheless the attack is straightforward: any visitor to a page containing a weMail form can extract the nonce and send a DELETE request to the /wp\u2011json/wemail/v1/forms endpoint. Because no authentication or capability check is performed, the attack does not require additional privileges, making it simple for attackers to destroy all form data without detection."}}}}, "created": "2026-02-23T14:32:09.498953+00:00", "updated": "2026-04-22T20:00:08.841744+00:00", "vendors": ["wedevs", "wedevs$PRODUCT$wemail:_email_marketing,_email_automation,_newsletters,_subscribers_&_ecommerce_email_optins", "wordpress", "wordpress$PRODUCT$wordpress"]}