Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Unauthorized form deletion in weMail plugin for WordPress
CVE-2025-14339
Summary
The weMail plugin for WordPress allows an attacker to delete all email forms without permission. This is a serious issue because it lets anyone with some technical knowledge delete sensitive marketing and lead generation tools. To protect your site, update the weMail plugin to the latest version or remove it if you don't use it.
Original title
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, an...
Original description
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to the forms endpoint.
nvd CVSS3.1
6.5
Vulnerability type
CWE-862
Missing Authorization
- https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/FrontEnd/S...
- https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms...
- https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms...
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/16dd90c3-3962-4c8e-993...
Published: 21 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026