CVE-2025-14348: CWE-285 Improper Authorization in wedevs weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/wp/v2/users`) to impersonate that user and access the CSV subscriber endpoints, potentially exfiltrating subscriber PII (emails, names, phone numbers) from imported CSV files.
AI Analysis
Technical Summary
CVE-2025-14348 is an improper authorization vulnerability (CWE-285) in the weMail WordPress plugin (versions up to 2.0.7). The plugin's REST API improperly trusts the x-wemail-user HTTP header for user identification without verifying the request originates from an authenticated WordPress session. This flaw allows unauthenticated attackers to impersonate admin users by guessing or enumerating admin emails via the WordPress users API endpoint. Exploitation enables unauthorized access to CSV subscriber endpoints, potentially exposing subscriber PII including emails, names, and phone numbers.
Potential Impact
The vulnerability allows unauthenticated attackers to bypass authorization controls and impersonate admin users by manipulating the x-wemail-user HTTP header. This can lead to unauthorized access to subscriber data stored in CSV files, exposing personally identifiable information such as email addresses, names, and phone numbers. There is no indication of impact on data integrity or availability. No known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix is documented, users should monitor the vendor's communications for updates. As a temporary measure, restricting access to the REST API endpoints or disabling the weMail plugin until a fix is available may reduce risk. Avoid exposing admin email addresses publicly to limit attacker ability to guess valid users.
CVE-2025-14348: CWE-285 Improper Authorization in wedevs weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce
Description
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/wp/v2/users`) to impersonate that user and access the CSV subscriber endpoints, potentially exfiltrating subscriber PII (emails, names, phone numbers) from imported CSV files.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-14348 is an improper authorization vulnerability (CWE-285) in the weMail WordPress plugin (versions up to 2.0.7). The plugin's REST API improperly trusts the x-wemail-user HTTP header for user identification without verifying the request originates from an authenticated WordPress session. This flaw allows unauthenticated attackers to impersonate admin users by guessing or enumerating admin emails via the WordPress users API endpoint. Exploitation enables unauthorized access to CSV subscriber endpoints, potentially exposing subscriber PII including emails, names, and phone numbers.
Potential Impact
The vulnerability allows unauthenticated attackers to bypass authorization controls and impersonate admin users by manipulating the x-wemail-user HTTP header. This can lead to unauthorized access to subscriber data stored in CSV files, exposing personally identifiable information such as email addresses, names, and phone numbers. There is no indication of impact on data integrity or availability. No known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix is documented, users should monitor the vendor's communications for updates. As a temporary measure, restricting access to the REST API endpoints or disabling the weMail plugin until a fix is available may reduce risk. Avoid exposing admin email addresses publicly to limit attacker ability to guess valid users.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-12-09T15:13:36.266Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 696f09b14623b1157c16d2d9
Added to database: 1/20/2026, 4:50:57 AM
Last enriched: 4/9/2026, 4:46:54 PM
Last updated: 5/8/2026, 6:55:15 AM
Views: 155
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.