The vulnerability identified as CVE-2025-14348 affects the weMail WordPress plugin, a tool widely used for email marketing, lead generation, and automation. The root cause is an improper authorization flaw (CWE-285) in the plugin's REST API, which relies on the 'x-wemail-user' HTTP header to determine user identity without validating that the request originates from an authenticated WordPress session. This design flaw allows unauthenticated attackers to spoof the header and impersonate any user, including administrators. Attackers can enumerate valid admin email addresses through the publicly accessible WordPress REST API endpoint '/wp-json/wp/v2/users', which exposes usernames and emails. By exploiting this, attackers gain unauthorized access to CSV subscriber endpoints, enabling them to exfiltrate sensitive subscriber data such as emails, names, and phone numbers imported into the plugin. The vulnerability affects all versions up to and including 2.0.7, with no patch currently available. The CVSS 3.1 base score is 5.3, reflecting medium severity due to the confidentiality impact and ease of exploitation without authentication or user interaction. There are no known exploits in the wild yet, but the vulnerability poses a significant privacy risk to organizations relying on weMail for subscriber management.

The primary impact of this vulnerability is the unauthorized disclosure of personally identifiable information (PII) of subscribers managed through the weMail plugin. This can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), and reputational damage for affected organizations. Attackers can harvest large volumes of subscriber data, which could be used for phishing campaigns, identity theft, or further targeted attacks. Since the vulnerability does not affect data integrity or availability, the risk is confined to confidentiality breaches. However, given the sensitive nature of subscriber data, the impact on organizations handling marketing and customer engagement is significant. The ease of exploitation without authentication increases the likelihood of attacks, especially against websites with publicly accessible REST APIs. Organizations with large subscriber bases or operating in regulated industries face heightened risks.

Organizations should immediately verify the version of the weMail plugin installed and upgrade to a patched version once available. Until a patch is released, restrict access to the WordPress REST API endpoints related to weMail by implementing IP whitelisting, web application firewall (WAF) rules, or authentication enforcement. Disable or limit the exposure of the '/wp-json/wp/v2/users' endpoint to prevent enumeration of admin emails, for example by using plugins that restrict REST API access or custom code to filter responses. Monitor web server logs for suspicious requests containing the 'x-wemail-user' header or unusual access patterns to subscriber CSV endpoints. Educate administrators to avoid exposing sensitive data unnecessarily and review subscriber data handling policies. Consider implementing additional layers of authentication or token validation for REST API requests in the interim. Regularly audit WordPress plugins for security updates and vulnerabilities to reduce attack surface.