CVE-2025-14339: CWE-862 Missing Authorization in wedevs weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to the forms endpoint.
AI Analysis
Technical Summary
The weMail plugin for WordPress suffers from a missing authorization vulnerability (CWE-862) in its REST API endpoint for form deletion. The permission callback validates only the X-WP-Nonce header, which is exposed to unauthenticated visitors via the plugin's JavaScript object on pages containing weMail forms. Because user capabilities are not checked, any unauthenticated user can extract this nonce and issue DELETE requests to remove all forms permanently. This affects all versions up to 2.0.7 and results in integrity and availability impacts without confidentiality compromise. No vendor advisory or patch information is currently available.
Potential Impact
An unauthenticated attacker can permanently delete all weMail forms by exploiting the exposed REST nonce and sending unauthorized DELETE requests. This leads to loss of data integrity and availability of the forms managed by the plugin. There is no impact on confidentiality. The vulnerability has a CVSS score of 6.5 (medium severity). No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting access to pages exposing the weMail JavaScript object or disabling the plugin if feasible to prevent exploitation. Monitor vendor channels for updates and apply patches promptly once released.
CVE-2025-14339: CWE-862 Missing Authorization in wedevs weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce
Description
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to the forms endpoint.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The weMail plugin for WordPress suffers from a missing authorization vulnerability (CWE-862) in its REST API endpoint for form deletion. The permission callback validates only the X-WP-Nonce header, which is exposed to unauthenticated visitors via the plugin's JavaScript object on pages containing weMail forms. Because user capabilities are not checked, any unauthenticated user can extract this nonce and issue DELETE requests to remove all forms permanently. This affects all versions up to 2.0.7 and results in integrity and availability impacts without confidentiality compromise. No vendor advisory or patch information is currently available.
Potential Impact
An unauthenticated attacker can permanently delete all weMail forms by exploiting the exposed REST nonce and sending unauthorized DELETE requests. This leads to loss of data integrity and availability of the forms managed by the plugin. There is no impact on confidentiality. The vulnerability has a CVSS score of 6.5 (medium severity). No known exploits in the wild have been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, consider restricting access to pages exposing the weMail JavaScript object or disabling the plugin if feasible to prevent exploitation. Monitor vendor channels for updates and apply patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-09T14:06:01.519Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69997b9dbe58cf853b7530da
Added to database: 2/21/2026, 9:32:13 AM
Last enriched: 4/9/2026, 9:14:33 PM
Last updated: 5/21/2026, 7:58:29 PM
Views: 159
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.