[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ftqRrQ8r5DcdITQOzyqZ6btqR99f7jJtBF71pH9z1Lx4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20},"CVE-2025-14339","wemail-missing-authorization-to-unauthenticated-form-deletion","weMail \u003C= 2.0.7 - Missing Authorization to Unauthenticated Form Deletion","The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A\u002FB Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to the forms endpoint.","wemail",null,"\u003C=2.0.7","2.0.8","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:L","Missing Authorization","2026-02-20 20:58:51","2026-02-21 09:28:01",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F16dd90c3-3962-4c8e-993f-b6824c48ab76?source=api-prod",1]