The vulnerability identified as CVE-2025-14339 affects the weMail plugin for WordPress, which provides email marketing, automation, newsletters, and opt-in form functionalities. The root cause is a missing authorization check (CWE-862) in the Forms::permission() callback function. This function validates incoming DELETE requests to the forms REST API endpoint by verifying the presence of a valid REST nonce via the X-WP-Nonce header. However, it fails to check whether the requesting user has the necessary capabilities or permissions to delete forms. The REST nonce is exposed to unauthenticated visitors through the weMail JavaScript object embedded on pages containing weMail forms, allowing attackers to retrieve it from the page source. An attacker can then craft and send a DELETE HTTP request to the forms endpoint using the extracted nonce, bypassing authentication and authorization controls. This enables permanent deletion of all weMail forms, causing loss of data integrity and availability of critical marketing assets. The vulnerability affects all versions up to and including 2.0.7. The CVSS 3.1 base score is 6.5, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, but low integrity and high availability impacts. No patches or known exploits are currently reported, but the vulnerability is publicly disclosed and exploitable with minimal effort.

This vulnerability can significantly disrupt organizations relying on the weMail plugin for their email marketing and lead generation activities. Unauthorized deletion of all marketing forms can result in loss of subscriber data collection capabilities, interruption of automated email campaigns, and degradation of customer engagement efforts. The integrity of marketing data is compromised as forms are deleted without authorization, and availability is impacted due to the inability to use or restore forms quickly. Organizations may face operational downtime, revenue loss from disrupted marketing workflows, and reputational damage if attackers exploit this flaw. Since no authentication or user interaction is needed, attackers can automate attacks at scale, potentially targeting multiple sites running vulnerable versions. Although confidentiality is not directly impacted, the loss of marketing infrastructure can indirectly affect business continuity and customer trust.

To mitigate this vulnerability, organizations should immediately upgrade the weMail plugin to a version where proper authorization checks are implemented, once available from the vendor. Until a patch is released, administrators should consider disabling or restricting access to the weMail forms REST API endpoints via web application firewalls or server-level rules to block DELETE requests from unauthenticated sources. Removing or hiding the exposed REST nonce from public pages can reduce attack surface, though this may require custom code changes. Monitoring web server logs for suspicious DELETE requests targeting the forms endpoint can help detect exploitation attempts. Regular backups of form configurations and subscriber data should be maintained to enable rapid recovery if deletion occurs. Additionally, limiting plugin usage to trusted administrators and minimizing exposure of marketing pages to unauthenticated users can reduce risk. Organizations should also follow vendor advisories closely for patch releases and apply updates promptly.