weMail%3A%20Email%20Marketing%2C%20Email%20Automation%2C%20Newsletters%2C%20Subscribers%20%26%20eCommerce%20Email%20Optins

weMail: Email Marketing, Email Automation, Newsletters, Subscribers & eCommerce Email Optins

Source -

CNA

CNA CVEs -

ADP CVEs -

CISA CVEs -

NVD CVEs -

1Vulnerabilities found

CVE-2025-14339

Assigner-Wordfence

View Details

Assigner-Wordfence

CVSS Score-6.5||MEDIUM

EPSS-0.06% / 19.10%

7 Day CHG~0.00%

Published-21 Feb, 2026 | 09:27

Updated-25 Feb, 2026 | 21:18

weMail <= 2.0.7 - Missing Authorization to Unauthenticated Form Deletion

The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to the forms endpoint.

Vendor-weDevs Pte. Ltd.

Product-weMail: Email Marketing, Email Automation, Newsletters, Subscribers & eCommerce Email Optins

CWE ID-CWE-862

Missing Authorization