CVE-2025-14348
Unknown Unknown - Not Provided
Authorization Bypass in weMail Plugin Enables Subscriber Data Exposure

Publication date: 2026-01-20

Last updated on: 2026-01-20

Assigner: Wordfence

Description
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/wp/v2/users`) to impersonate that user and access the CSV subscriber endpoints, potentially exfiltrating subscriber PII (emails, names, phone numbers) from imported CSV files.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-20
Last Modified
2026-01-20
Generated
2026-06-16
AI Q&A
2026-01-20
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14348
EUVD
EUVD-2026-3481
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
wedevs wemail to 2.0.7 (inc)
wedevs wemail to 2.0.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the weMail WordPress plugin (up to version 2.0.7) is an authorization bypass in its REST API. The plugin trusts the `x-wemail-user` HTTP header to identify users without verifying if the request comes from an authenticated WordPress session. This allows unauthenticated attackers who can guess or enumerate an admin email to impersonate that user and access CSV subscriber endpoints. As a result, attackers can potentially exfiltrate personally identifiable information (PII) such as emails, names, and phone numbers from imported CSV subscriber files. [1]

Impact Analysis

This vulnerability can allow unauthorized attackers to impersonate admin users and access sensitive subscriber data stored in CSV files, including personally identifiable information like emails, names, and phone numbers. This can lead to data breaches, loss of subscriber privacy, and potential misuse of the exposed data. Since the attacker does not need to be authenticated, the risk of data exfiltration is significant. [1]

Compliance Impact

This vulnerability can negatively impact compliance with data protection regulations such as GDPR and HIPAA because it allows unauthorized access to personally identifiable information (PII) of subscribers. Unauthorized disclosure of such data violates principles of data confidentiality and security required by these regulations, potentially leading to legal penalties and loss of trust. [1]

Detection Guidance

This vulnerability can be detected by monitoring REST API requests to the weMail plugin endpoints, specifically those under the namespace `wemail/v1` with paths like `/csv/{id}`, `/csv/{id}/meta-fields`, and `/csv/{id}/subscribers`. Look for unauthorized requests that include the `x-wemail-user` HTTP header with an admin email or attempts to access subscriber CSV data without proper authentication. Commands to detect such activity could include using curl or similar tools to test access, for example: `curl -I -H "x-wemail-user: [email protected]" https://yourwordpresssite.com/wp-json/wemail/v1/csv/1/subscribers` to check if unauthorized access is possible. Additionally, monitoring web server logs for suspicious REST API calls with the `x-wemail-user` header or unusual access patterns to `/wp-json/wemail/v1/csv/` endpoints can help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include updating the weMail plugin to version 2.0.8 or later, where the vulnerability is fixed by refactoring permission callbacks to enforce stricter access controls, including validating API keys and user emails properly, requiring authenticated users with appropriate capabilities, and adding nonce verification to prevent CSRF attacks. If updating immediately is not possible, restrict access to the REST API endpoints related to weMail by limiting access via firewall rules or web server configuration to trusted IPs or authenticated users only. Additionally, monitor and audit REST API usage for suspicious activity and consider disabling the plugin temporarily if the risk is high. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14348. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart