CVE-2025-14339

Name of the Vulnerable Software and Affected Versions weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress versions through 2.0.7

Description The weMail plugin for WordPress is affected by a flaw allowing unauthorized deletion of forms. The Forms::permission() function inadequately validates the X-WP-Nonce header, failing to verify user capabilities. The REST nonce is accessible to unauthenticated visitors through the weMail JavaScript object on pages containing weMail forms. This allows any unauthenticated user to permanently delete all weMail forms by obtaining the nonce from the page source and sending a DELETE request to the forms endpoint: /wp-json/wemail/v1/forms. The vulnerable parameter is the X-WP-Nonce header.

Recommendations Update to a version of the weMail plugin later than 2.0.7.