weMail < 2.0.8 – Sensitive Information Disclosure | CVE 2025-14348 | Plugin Vulnerabilities

Description

The plugin is vulnerable to authorization bypass due to the plugin's REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/wp/v2/users`) to impersonate that user and access the CSV subscriber endpoints, potentially exfiltrating subscriber PII (emails, names, phone numbers) from imported CSV files.

Affects Plugins

Fixed in 2.0.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/59c0caa2-d0c2-472e-83c3-d11ad313720d

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

shark3y

Verified

No

WPVDB ID

d6b845e2-5748-4b2c-ae4c-922ea1bd5b8f

Timeline

Publicly Published

2026-01-19 (about 5 months ago)

Added

2026-01-19 (about 5 months ago)

Last Updated

2026-01-19 (about 5 months ago)

Other

Published

Title

Published

2025-05-05

Title

Reales WP STPT <= 2.1.2 - Unauthorized User Registration

Published

2024-08-21

Title

Themify Builder < 7.6.2 - Missing Authorization to Authenticated (Contributor+) Post Duplication

Published

2026-01-09

Title

Templately < 3.4.9 - Unauthenticated Limited Arbitrary JSON File Write

Published

2024-01-29

Title

Avada < 7.11.2 - Author+ Arbitrary File Upload via Zip Extraction

Published

2025-04-09

Title

SureForms < 1.4.4 - Contributor+ Settings Update