The vulnerability CVE-2025-14339 resides in the weMail plugin for WordPress, which provides email marketing, automation, newsletters, and opt-in form functionalities. The root cause is a missing authorization check (CWE-862) in the REST API endpoint responsible for managing forms. Specifically, the Forms::permission() callback only validates the presence of a valid X-WP-Nonce header but does not verify if the user has the necessary capabilities to delete forms. Since the nonce is exposed to unauthenticated visitors via the JavaScript weMail object on pages containing weMail forms, any unauthenticated user can extract this nonce from the page source. Using this nonce, an attacker can craft a DELETE HTTP request to the forms endpoint, resulting in the permanent deletion of all weMail forms. This flaw affects all versions up to and including 2.0.7. The vulnerability impacts the integrity and availability of the forms data but does not compromise confidentiality. The CVSS v3.1 base score is 6.5 (medium severity), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on integrity and availability. No patches or exploits are currently publicly available, but the exposure of the nonce and lack of capability checks make exploitation straightforward once the nonce is obtained.

This vulnerability can significantly disrupt organizations relying on the weMail plugin for their email marketing and lead generation efforts. By allowing unauthenticated attackers to delete all forms, it compromises the integrity and availability of critical marketing infrastructure, potentially causing loss of subscriber data collection and interruption of automated email campaigns. This can lead to reduced marketing effectiveness, loss of customer engagement, and operational downtime while forms are recreated. Although no confidential data is directly exposed, the destruction of forms can indirectly impact business continuity and revenue streams. Organizations with high dependence on WordPress-based marketing automation are particularly at risk. The ease of exploitation without authentication or user interaction increases the likelihood of opportunistic attacks, especially on publicly accessible websites with weMail forms.

Organizations should immediately verify if they are using the weMail plugin version 2.0.7 or earlier and upgrade to a patched version once available. In the absence of an official patch, administrators should restrict access to pages containing weMail forms to authenticated users or implement web application firewall (WAF) rules to block unauthorized DELETE requests to the forms REST API endpoint. Additionally, disabling or removing the weMail plugin temporarily can prevent exploitation. Monitoring web server logs for suspicious DELETE requests targeting the forms endpoint and unusual form deletions can help detect exploitation attempts. Developers should ensure that REST API endpoints enforce proper capability checks beyond nonce validation to prevent unauthorized actions. Finally, website owners should consider limiting exposure of nonces to unauthenticated users by adjusting plugin or site configurations.