CVE-2025-14348

Name of the Vulnerable Software and Affected Versions weMail versions prior to 2.0.8

Description The weMail plugin for WordPress has a flaw where the REST API relies on the x-wemail-user HTTP header for user identification without confirming a valid WordPress session. This allows unauthenticated attackers, who can determine an administrator's email address (through the /wp-json/wp/v2/users endpoint), to act as that user. Successful exploitation grants access to CSV subscriber endpoints, potentially leading to the theft of Personally Identifiable Information (PII) like emails, names, and phone numbers from imported CSV files.

Recommendations Update weMail to version 2.0.8 or later.