CVE-2025-14348
📋 TL;DR
The weMail WordPress plugin has an authorization bypass vulnerability that allows unauthenticated attackers to impersonate administrators by manipulating HTTP headers. This enables access to CSV subscriber endpoints containing personal identifiable information (PII) like emails, names, and phone numbers. All WordPress sites using weMail plugin versions up to 2.0.7 are affected.
💻 Affected Systems
- weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Mass exfiltration of subscriber PII data including emails, names, and phone numbers, potentially leading to data breaches, regulatory fines, and reputational damage.
Likely Case
Targeted extraction of subscriber lists for spam campaigns, phishing attacks, or data harvesting from vulnerable WordPress sites.
If Mitigated
Limited impact if proper network segmentation, WAF rules, and monitoring are in place to detect and block suspicious API requests.
🎯 Exploit Status
Attack requires knowledge of admin email (easily enumerable via WordPress REST API) and manipulation of HTTP headers. No authentication needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.8
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find weMail plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.0.8+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable weMail Plugin
allTemporarily disable the weMail plugin until patching is possible
wp plugin deactivate wemail
WAF Rule to Block Suspicious Headers
allConfigure web application firewall to block requests containing 'x-wemail-user' header from unauthenticated sources
🧯 If You Can't Patch
- Implement strict network access controls to limit access to WordPress REST API endpoints
- Enable detailed logging and monitoring for suspicious API requests to /wp-json/wemail/v1/csv endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for weMail version. If version is 2.0.7 or lower, system is vulnerable.Check Version:
wp plugin get wemail --field=versionVerify Fix Applied:
Verify weMail plugin version is 2.0.8 or higher in WordPress admin panel. Test API endpoint access with x-wemail-user header manipulation should fail.📡 Detection & Monitoring
Log Indicators:
- Unusual requests to /wp-json/wemail/v1/csv endpoints
- Requests containing x-wemail-user header from unauthenticated IPs
- Multiple failed authentication attempts followed by successful CSV endpoint access
Network Indicators:
- HTTP requests with x-wemail-user header to WordPress REST API
- Unusual data exfiltration patterns from CSV endpoints
SIEM Query:
source="web_access_logs" AND uri_path="/wp-json/wemail/v1/csv" AND http_header="x-wemail-user" AND NOT user_agent="WordPress/*"🔗 References
- https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Csv.php#L79
- https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Csv.php#L85
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3442404%40wemail%2Ftrunk&old=3423372%40wemail%2Ftrunk&sfp_email=&sfph_mail=#file1
- https://www.wordfence.com/threat-intel/vulnerabilities/id/59c0caa2-d0c2-472e-83c3-d11ad313720d?source=cve
