Unauthorized Form Deletion Vulnerability in weMail Plugin by WordPress
CVE-2025-14339

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Wemail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins For WooCommerce
Vendor: CVE Published:; 21 February 2026

What is CVE-2025-14339?

The weMail plugin for WordPress is susceptible to unauthorized form deletion due to insufficient validation in the permission callback. The Forms::permission() function fails to verify user capabilities, relying solely on the X-WP-Nonce header. This oversight allows unauthenticated users to access the nonce through the weMail JavaScript object on public pages, enabling them to send DELETE requests to remove all weMail forms. This vulnerability poses a significant risk to data integrity for users of the plugin.

Affected Version(s)

weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce 0 <= 2.0.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wemail/tags/2....

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 21, 2026
Vulnerability Reserved
Dec 9, 2025

Credit

Angus Girvan

CVE-2025-14339 Data

JSON