CVE-2025-14348
Authorization Bypass in weMail Plugin Enables Subscriber Data Exposure
Publication date: 2026-01-20
Last updated on: 2026-01-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wedevs | wemail | to 2.0.7 (inc) |
| wedevs | wemail | to 2.0.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the weMail WordPress plugin (up to version 2.0.7) is an authorization bypass in its REST API. The plugin trusts the `x-wemail-user` HTTP header to identify users without verifying if the request comes from an authenticated WordPress session. This allows unauthenticated attackers who can guess or enumerate an admin email to impersonate that user and access CSV subscriber endpoints. As a result, attackers can potentially exfiltrate personally identifiable information (PII) such as emails, names, and phone numbers from imported CSV subscriber files. [1]
How can this vulnerability impact me? :
This vulnerability can allow unauthorized attackers to impersonate admin users and access sensitive subscriber data stored in CSV files, including personally identifiable information like emails, names, and phone numbers. This can lead to data breaches, loss of subscriber privacy, and potential misuse of the exposed data. Since the attacker does not need to be authenticated, the risk of data exfiltration is significant. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability can negatively impact compliance with data protection regulations such as GDPR and HIPAA because it allows unauthorized access to personally identifiable information (PII) of subscribers. Unauthorized disclosure of such data violates principles of data confidentiality and security required by these regulations, potentially leading to legal penalties and loss of trust. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring REST API requests to the weMail plugin endpoints, specifically those under the namespace `wemail/v1` with paths like `/csv/{id}`, `/csv/{id}/meta-fields`, and `/csv/{id}/subscribers`. Look for unauthorized requests that include the `x-wemail-user` HTTP header with an admin email or attempts to access subscriber CSV data without proper authentication. Commands to detect such activity could include using curl or similar tools to test access, for example: `curl -I -H "x-wemail-user: [email protected]" https://yourwordpresssite.com/wp-json/wemail/v1/csv/1/subscribers` to check if unauthorized access is possible. Additionally, monitoring web server logs for suspicious REST API calls with the `x-wemail-user` header or unusual access patterns to `/wp-json/wemail/v1/csv/` endpoints can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the weMail plugin to version 2.0.8 or later, where the vulnerability is fixed by refactoring permission callbacks to enforce stricter access controls, including validating API keys and user emails properly, requiring authenticated users with appropriate capabilities, and adding nonce verification to prevent CSRF attacks. If updating immediately is not possible, restrict access to the REST API endpoints related to weMail by limiting access via firewall rules or web server configuration to trusted IPs or authenticated users only. Additionally, monitor and audit REST API usage for suspicious activity and consider disabling the plugin temporarily if the risk is high. [3]