{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-18T12:08:17.984","vulnerabilities":[{"cve":{"id":"CVE-2025-14339","sourceIdentifier":"security@wordfence.com","published":"2026-02-21T10:16:11.133","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to the forms endpoint."},{"lang":"es","value":"El plugin weMail - Email Marketing, Generación de Leads, Formularios de Suscripción, Boletines por Correo Electrónico, Pruebas A/B y Automatización para WordPress es vulnerable a la eliminación no autorizada de formularios en todas las versiones hasta la 2.0.7, inclusive. Esto se debe a que la función de callback 'Forms::permission()' solo valida el encabezado 'X-WP-Nonce' sin verificar las capacidades del usuario. Dado que el nonce REST se expone a visitantes no autenticados a través del objeto JavaScript 'weMail' en páginas con formularios de weMail, cualquier usuario no autenticado puede eliminar permanentemente todos los formularios de weMail extrayendo el nonce del código fuente de la página y enviando una solicitud DELETE al endpoint de formularios."}],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L","baseScore":6.5,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":3.9,"impactScore":2.5}]},"weaknesses":[{"source":"security@wordfence.com","type":"Secondary","description":[{"lang":"en","value":"CWE-862"}]}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/FrontEnd/Scripts.php#L32","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms.php#L124","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms.php#L222","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3442404%40wemail%2Ftrunk&old=3423372%40wemail%2Ftrunk&sfp_email=&sfph_mail=#file1","source":"security@wordfence.com"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/16dd90c3-3962-4c8e-993f-b6824c48ab76?source=cve","source":"security@wordfence.com"}]}}]}