Executive Summary

[{'type': 'paragraph', 'content': "The vulnerability in CVE-2025-14339 affects the weMail WordPress plugin versions up to and including 2.0.7. It arises because the plugin's REST API permission check for form deletion only verifies the presence and validity of the X-WP-Nonce header without confirming the user's capabilities."}, {'type': 'paragraph', 'content': 'Since the REST nonce is exposed to unauthenticated visitors through the weMail JavaScript object on pages containing weMail forms, any unauthenticated user can extract this nonce from the page source and send a DELETE request to the forms endpoint.'}, {'type': 'paragraph', 'content': 'This allows unauthorized users to permanently delete all weMail forms via the REST API, bypassing proper permission checks.'}] [1, 2]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized deletion of all weMail forms on a WordPress site using the affected plugin versions.

An attacker, without authentication, can permanently remove marketing, lead generation, opt-in, and newsletter forms, disrupting email marketing and automation workflows.

Such disruption can cause loss of leads, interruption of communication with subscribers, and potential damage to business operations relying on these forms.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for unauthorized DELETE requests to the WeMail plugin's REST API endpoint for forms, specifically the '/wemail/v1/forms' endpoint."}, {'type': 'paragraph', 'content': "Since the vulnerability involves an unauthenticated user extracting the REST nonce from the page source and sending a DELETE request, detection can involve checking web server logs or network traffic for DELETE HTTP requests targeting the '/wemail/v1/forms' REST API route."}, {'type': 'paragraph', 'content': 'Suggested commands to detect such activity include:'}, {'type': 'list_item', 'content': 'Using grep on web server access logs to find DELETE requests to the vulnerable endpoint, for example:'}, {'type': 'list_item', 'content': "grep 'DELETE /wp-json/wemail/v1/forms' /var/log/apache2/access.log"}, {'type': 'list_item', 'content': 'Or using tcpdump to capture HTTP DELETE requests to the REST API endpoint:'}, {'type': 'list_item', 'content': "tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'DELETE /wp-json/wemail/v1/forms'"}, {'type': 'paragraph', 'content': "Additionally, inspecting the page source of pages containing WeMail forms for the presence of the JavaScript object 'weMail' and its 'nonce' property can confirm exposure of the REST nonce to unauthenticated users."}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include:'}, {'type': 'list_item', 'content': 'Update the WeMail plugin to a version later than 2.0.7 where this vulnerability is fixed.'}, {'type': 'list_item', 'content': "If an update is not immediately possible, restrict access to the REST API endpoints related to WeMail forms by implementing firewall rules or web server access controls to block DELETE requests to '/wp-json/wemail/v1/forms' from unauthenticated or untrusted sources."}, {'type': 'list_item', 'content': 'Monitor and audit logs for suspicious DELETE requests to the forms endpoint and respond accordingly.'}, {'type': 'list_item', 'content': 'Consider disabling or removing the WeMail plugin temporarily if the risk is high and no patch is available.'}] [1]

Useful 0 Not Useful 0