CVE-2025-14339
📋 TL;DR
The weMail WordPress plugin up to version 2.0.7 allows unauthenticated attackers to permanently delete all email marketing forms. This occurs because the plugin validates only the REST API nonce without checking user permissions, and the nonce is exposed in page source code. Any WordPress site using vulnerable weMail versions is affected.
💻 Affected Systems
- weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
All weMail forms are permanently deleted, disrupting email marketing campaigns, lead generation, and customer communications, requiring manual recreation.
Likely Case
Attackers delete forms to disrupt business operations, cause service degradation, or as part of broader attacks against the organization.
If Mitigated
With proper access controls and nonce validation, only authorized administrators can manage forms.
🎯 Exploit Status
Exploitation requires pages with weMail forms to expose the nonce; automated tools could scan for vulnerable sites.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.8 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find weMail plugin and click 'Update Now' if available. 4. Alternatively, download version 2.0.8+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable weMail plugin temporarily
linuxDeactivate the weMail plugin to prevent exploitation until patched.
wp plugin deactivate wemail
Restrict REST API access
allUse web application firewall (WAF) rules to block DELETE requests to /wp-json/wemail/v1/forms endpoint from unauthenticated users.
🧯 If You Can't Patch
- Remove weMail forms from public pages to hide the nonce from unauthenticated visitors.
- Implement strict access controls and monitoring for REST API endpoints related to weMail.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel for weMail plugin version; if version is 2.0.7 or lower, it is vulnerable.Check Version:
wp plugin get wemail --field=versionVerify Fix Applied:
Confirm weMail plugin is updated to version 2.0.8 or later in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Unusual DELETE requests to /wp-json/wemail/v1/forms endpoint in web server logs.
- Multiple failed or successful form deletion attempts from unauthenticated IPs.
Network Indicators:
- HTTP DELETE requests to weMail REST API from external sources without authentication headers.
SIEM Query:
source="web_logs" AND uri="/wp-json/wemail/v1/forms" AND method="DELETE" AND user_agent NOT CONTAINS "wp-admin"🔗 References
- https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/FrontEnd/Scripts.php#L32
- https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms.php#L124
- https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms.php#L222
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3442404%40wemail%2Ftrunk&old=3423372%40wemail%2Ftrunk&sfp_email=&sfph_mail=#file1
- https://www.wordfence.com/threat-intel/vulnerabilities/id/16dd90c3-3962-4c8e-993f-b6824c48ab76?source=cve
