– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-14348:
The weMail WordPress plugin version 2.0.7 and earlier contains an insufficient authorization vulnerability in its REST API CSV endpoints. The vulnerability allows unauthenticated attackers to bypass authentication by supplying a forged HTTP header, leading to unauthorized access to subscriber data. The CVSS score is 5.3 (Medium severity).

The root cause is the `permission` function in `/wemail/includes/Rest/Csv.php`. This function trusted the `x-wemail-user` HTTP header to identify users without verifying the request originated from an authenticated WordPress session. The function used `get_user_by(’email’, $user_email)` on line 14 to retrieve a user object based solely on the email address provided in the header. If the user existed, the function set the current user via `wp_set_current_user($user->ID)` and returned the result of a capability check. This design allowed any actor to impersonate a user by knowing or guessing their email address.

An attacker exploits this by enumerating admin email addresses via the public WordPress REST API endpoint `/wp-json/wp/v2/users`. The attacker then crafts an HTTP request to the CSV endpoints, such as `/wp-json/wemail/v1/csv/{file_id}/subscribers`, and includes the `x-wemail-user` header set to the enumerated admin email. No authentication cookies, API keys, or nonces are required. The server processes the request as if the admin user made it, returning subscriber PII from imported CSV files.

The patch in version 2.0.8 removes the vulnerable `permission` function entirely from the `Csv` class. It replaces the `permission_callback` for three CSV endpoints (`csv_file_info`, `meta_fields`, and `subscribers`) with three new dedicated functions: `can_csv_upload`, `can_meta_fields`, and `can_get_subscribers`. The patch also updates the `permission` function in `/wemail/includes/Rest/Forms.php` to enforce a three-step check: verifying the user is logged in via `is_user_logged_in()`, checking weMail-specific capabilities, and validating a WordPress REST API nonce via `wp_verify_nonce`. These changes ensure requests originate from a valid WordPress session.

Successful exploitation allows an attacker to exfiltrate subscriber Personally Identifiable Information (PII) stored in imported CSV files. This data includes email addresses, names, and phone numbers. The vulnerability does not grant full administrative access but enables data disclosure from the plugin’s subscriber management system, violating data privacy and potentially facilitating further attacks.