Home

Description

The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/wp/v2/users`) to impersonate that user and access the CSV subscriber endpoints, potentially exfiltrating subscriber PII (emails, names, phone numbers) from imported CSV files.

PUBLISHED Reserved 2025-12-09 | Published 2026-01-20 | Updated 2026-01-20 | Assigner Wordfence




MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Problem types

CWE-285 Improper Authorization

Product status

Default status
unaffected

* (semver)
affected

Timeline

2025-12-24:Vendor Notified
2026-01-19:Disclosed

Credits

Angus Girvan finder

References

www.wordfence.com/...-d0c2-472e-83c3-d11ad313720d?source=cve

plugins.trac.wordpress.org/...gs/2.0.6/includes/Rest/Csv.php

plugins.trac.wordpress.org/...gs/2.0.6/includes/Rest/Csv.php

plugins.trac.wordpress.org/...%2Ftrunk&sfp_email=&sfph_mail=

cve.org (CVE-2025-14348)

nvd.nist.gov (CVE-2025-14348)

Download JSON