The vulnerability identified as CVE-2025-14348 affects the weMail plugin for WordPress, which provides email marketing, lead generation, opt-in forms, newsletters, A/B testing, and automation functionalities. The root cause is an improper authorization flaw (CWE-285) in the plugin's REST API, which relies solely on the x-wemail-user HTTP header to determine the user identity. This header can be arbitrarily set by an attacker, and the plugin fails to verify if the request originates from an authenticated WordPress session. Since WordPress exposes user information through the /wp-json/wp/v2/users endpoint, attackers can enumerate admin email addresses easily. Using this information, an unauthenticated attacker can craft requests impersonating an admin user and access sensitive subscriber data stored in CSV format, including personally identifiable information such as emails, names, and phone numbers. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity), reflecting its network attack vector, no required privileges, and no user interaction, but limited impact to confidentiality only and no impact on integrity or availability. No public exploits have been reported yet. The vulnerability affects all versions up to 2.0.7 of the plugin. Because the plugin is widely used in WordPress environments for marketing automation, the exposure of subscriber data can lead to privacy violations and compliance issues, especially under GDPR regulations in Europe.

For European organizations, the impact of this vulnerability is significant due to the potential exposure of subscriber personally identifiable information (PII), including emails, names, and phone numbers. This can lead to privacy breaches and non-compliance with GDPR, resulting in regulatory fines and reputational damage. Organizations relying on the weMail plugin for customer engagement and marketing automation risk unauthorized data exfiltration by unauthenticated attackers. The breach of subscriber data can also facilitate phishing campaigns, identity theft, and other social engineering attacks targeting European customers or employees. Since the vulnerability does not affect system integrity or availability, the primary concern is confidentiality loss. The ease of exploitation (no authentication or user interaction required) increases the risk of widespread abuse, especially for organizations with publicly accessible WordPress REST APIs. Additionally, the exposure of admin email addresses through the WordPress REST API can further aid attackers in reconnaissance and targeted attacks.

1. Immediately monitor and restrict access to the WordPress REST API endpoints, especially /wp-json/wp/v2/users, to prevent user enumeration by unauthenticated users. 2. Implement web application firewall (WAF) rules to detect and block suspicious requests containing the x-wemail-user header or attempts to access subscriber CSV endpoints without proper authentication. 3. Until an official patch is released, consider disabling or removing the weMail plugin if it is not critical to operations. 4. Apply the official security patch from the vendor as soon as it becomes available to ensure proper authorization checks are enforced in the REST API. 5. Conduct regular audits of subscriber data access logs to detect unusual or unauthorized access patterns. 6. Enforce least privilege principles for WordPress admin accounts and rotate admin emails if feasible to reduce the risk of enumeration. 7. Educate marketing and IT teams about the risks of exposing sensitive subscriber data and the importance of timely updates. 8. Review and enhance overall WordPress security posture, including strong authentication mechanisms and limiting plugin usage to trusted sources.