Description
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/wp/v2/users`) to impersonate that user and access the CSV subscriber endpoints, potentially exfiltrating subscriber PII (emails, names, phone numbers) from imported CSV files.
Published: 2026-01-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The weMail plugin for WordPress contains an authorization bypass that occurs when its REST API accepts the custom HTTP header x‑wemail‑user as the identity of the requesting user without verifying that the request comes from an authenticated WordPress session. This flaw, a classic example of CWE‑285, allows a remote actor who can guess or enumerate an administrator’s email address (for example via the publicly accessible /wp-json/wp/v2/users endpoint) to fabricate a request that impersonates that admin and retrieve subscriber data from the CSV export endpoint. The exposed information may include email addresses, names, and phone numbers, constituting a direct leak of personally identifiable information. actual impact: The attacker gains read-only access to subscriber lists without needing to compromise site credentials, effectively turning the plugin into a data exfiltration mechanism. Because the vulnerability is tied to an unauthenticated REST call, it is exploitable from any internet‑connected location. cwe reference: The root of the problem is that the application trusts user-controlled input to define authorization, a hallmark of CWE‑285.

Affected Systems

Any WordPress site that has the WeDevs weMail plugin installed and versions up to and including 2.0.7 are affected. Sites that rely on the CSV subscriber export feature or expose the REST end‑points are specifically at risk.

Risk and Exploitability

The calculated CVSS score of 5.3 indicates a medium severity vulnerability. The EPSS score of less than 1 % suggests that exploitation is currently unlikely to be widespread, and the vulnerability is not listed in CISA’s KEV catalog. Nevertheless, because the flaw permits direct leakage of subscriber PII, the overall risk remains significant for sites that value the confidentiality of their contact lists. An attacker needs only to craft the appropriate header and target an enumerated administrator email to exploit the flaw, making the attack path relatively straightforward.

Generated by OpenCVE AI on April 21, 2026 at 23:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the weMail plugin to a version newer than 2.0.7; this removes the known authorization bypass.
  • Reconfigure the WordPress REST API or the plugin itself to validate that a request originates from an authenticated and authorized session before allowing access to the CSV export endpoint; this directly addresses the CWE‑285 weakness.
  • Restrict or disable the CSV subscriber export endpoint for non‑administrator users, or implement role‑based access controls to ensure only privileged accounts can trigger the export.

Generated by OpenCVE AI on April 21, 2026 at 23:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Wedevs
Wedevs wemail
Wordpress
Wordpress wordpress
Vendors & Products Wedevs
Wedevs wemail
Wordpress
Wordpress wordpress

Tue, 20 Jan 2026 04:45:00 +0000

Type Values Removed Values Added
Description The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/wp/v2/users`) to impersonate that user and access the CSV subscriber endpoints, potentially exfiltrating subscriber PII (emails, names, phone numbers) from imported CSV files.
Title weMail <= 2.0.7 - Insufficient Authorization via x-wemail-user Header to Sensitive Information Disclosure
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wedevs Wemail
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:54:54.625Z

Reserved: 2025-12-09T15:13:36.266Z

Link: CVE-2025-14348

cve-icon Vulnrichment

Updated: 2026-01-20T15:10:42.202Z

cve-icon NVD

Status : Deferred

Published: 2026-01-20T05:16:04.677

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14348

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:00:03Z

Weaknesses