Medium severity6.5NVD Advisory· Published Feb 21, 2026· Updated Apr 15, 2026
CVE-2025-14339
CVE-2025-14339
Description
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the Forms::permission() callback only validating the X-WP-Nonce header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the weMail JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to the forms endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Package: https://wordpress.org/plugins/wemail
Patches
Vulnerability mechanics
References
5- plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/FrontEnd/Scripts.phpnvd
- plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms.phpnvd
- plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/16dd90c3-3962-4c8e-993f-b6824c48ab76nvd
News mentions
0No linked articles in our index yet.