– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-14339:
The weMail WordPress plugin version 2.0.7 and earlier contains a missing authorization vulnerability in its form deletion REST endpoint. This flaw allows any unauthenticated visitor to delete all weMail forms. The vulnerability stems from insufficient permission checks in the Forms REST API handler.

Root Cause:
The vulnerability exists in the `Forms::permission()` callback function within `/wemail/includes/Rest/Forms.php`. The original function only validated the `X-WP-Nonce` header via `wp_verify_nonce()` without checking if the user was authenticated or had appropriate capabilities. The nonce was exposed to unauthenticated visitors through the `weMail` JavaScript object on pages containing weMail forms. This allowed attackers to extract valid nonces and bypass authentication requirements.

Exploitation:
An attacker can exploit this vulnerability by first visiting any page containing a weMail form and extracting the REST API nonce from the page source. The nonce is exposed in the `weMail` JavaScript object. The attacker then sends a DELETE request to the `/wp-json/wemail/v1/forms/{form_id}` endpoint with the extracted nonce in the `X-WP-Nonce` header. No authentication credentials are required. The attacker can enumerate form IDs or send batch deletion requests to remove all forms.

Patch Analysis:
The patch in version 2.0.8 modifies the `Forms::permission()` function to implement three-layer security checks. First, it verifies the user is logged in with `is_user_logged_in()`. Second, it checks the user has the `manage_form` capability via `wemail()->user->can(‘manage_form’)`. Third, it maintains nonce verification for CSRF protection. The patch also updates the Csv.php file to replace the generic `permission()` callback with specific capability checks (`can_csv_upload`, `can_meta_fields`, `can_get_subscribers`) for different CSV endpoints.

Impact:
Successful exploitation allows complete deletion of all weMail forms, disrupting email marketing campaigns, lead generation, and subscriber acquisition. Attackers can permanently remove forms without authentication, causing data loss and operational disruption. The vulnerability does not require any user interaction beyond visiting a page with a weMail form.