Description
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to the forms endpoint.
Published: 2026-02-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized form deletion causing irreversible loss of marketing configuration and subscriber data
Action: Immediate Patch
AI Analysis

Impact

The weMail WordPress plugin allows permanently deleting all stored forms through its REST endpoint. The flaw exists in all releases up to and including 2.0.7 because the endpoint checks only a nonce header rather than authenticating the user’s permissions. An unauthenticated user can obtain that nonce from the weMail JavaScript object rendered on any page that contains a form, then construct a DELETE request to remove every form. This results in loss of form definitions, configured opt‑in settings, and associated marketing assets, severely impacting the site’s email campaigns.

Affected Systems

WordPress sites running the weMail plugin version 2.0.7 or older. The plugin package provides email marketing, lead generation, opt‑in forms, newsletters, A/B testing, and automation functionality.

Risk and Exploitability

The CVSS base score is 6.5, categorising the flaw as moderate. The EPSS score is below 1 %, and the vulnerability has not yet been added to CISA’s KEV catalog, indicating a low current exploitation probability. Nevertheless the attack is straightforward: any visitor to a page containing a weMail form can extract the nonce and send a DELETE request to the /wp‑json/wemail/v1/forms endpoint. Because no authentication or capability check is performed, the attack does not require additional privileges, making it simple for attackers to destroy all form data without detection.

Generated by OpenCVE AI on April 22, 2026 at 19:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the weMail plugin to a release newer than 2.0.7 that includes the authorization fix.
  • If an immediate upgrade is not possible, temporarily deactivate or delete the weMail plugin to prevent unauthenticated deletion requests.
  • After the update or deactivation, verify that no REST endpoint permits form deletion without proper user permissions and confirm that the weMail JavaScript is not exposing a nonce to public pages.

Generated by OpenCVE AI on April 22, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Wedevs
Wedevs wemail: Email Marketing, Email Automation, Newsletters, Subscribers & Ecommerce Email Optins
Wordpress
Wordpress wordpress
Vendors & Products Wedevs
Wedevs wemail: Email Marketing, Email Automation, Newsletters, Subscribers & Ecommerce Email Optins
Wordpress
Wordpress wordpress

Sat, 21 Feb 2026 09:30:00 +0000

Type Values Removed Values Added
Description The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to the forms endpoint.
Title weMail <= 2.0.7 - Missing Authorization to Unauthenticated Form Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Wedevs Wemail: Email Marketing, Email Automation, Newsletters, Subscribers & Ecommerce Email Optins
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:37:15.300Z

Reserved: 2025-12-09T14:06:01.519Z

Link: CVE-2025-14339

cve-icon Vulnrichment

Updated: 2026-02-25T21:18:41.520Z

cve-icon NVD

Status : Deferred

Published: 2026-02-21T10:16:11.133

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14339

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:00:08Z

Weaknesses