Vulnerabilities and security researches forwemail wemail

Jun 07, 2024

CVE, Research URL: CVE-2024-34822
Home page URL: Security reports for weMail – Email Marketing, Newsletter, Optin Forms, Subscribers WordPress Plugin
Application: weMail – Email Marketing, Newsletter, Optin Forms, Subscribers WordPress Plugin
Date: Jun 11, 2024
Research Description: Missing Authorization vulnerability in weDevs weMail.This issue affects weMail: from n/a through 1.14.2.
Affected versions: max 1.14.3.
Status: vulnerable

CVE, Research URL: 6a52473efb874076a39c4ea21209648e624cf1b4
Home page URL: Security reports for weMail – Email Marketing, Newsletter, Optin Forms, Subscribers WordPress Plugin
Application: weMail – Email Marketing, Newsletter, Optin Forms, Subscribers WordPress Plugin
Date: Sep 04, 2023
Research Description: weMail – Email Marketing, Newsletter, Optin Forms, Subscribers WordPress Plugin [wemail] < 1.14.2 WordPress weMail Plugin <= 1.14.1 is vulnerable to Cross Site Request Forgery (CSRF) No patched version is available. Lana Codes discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress weMail Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. This vulnerability has not been known to be fixed yet.
Affected versions: max 1.14.2.
Status: vulnerable

Aug 16, 2024

CVE, Research URL: CVE-2024-43238
Home page URL: Security reports for weMail – Email Marketing, Newsletter, Optin Forms, Subscribers WordPress Plugin
Application: weMail – Email Marketing, Newsletter, Optin Forms, Subscribers WordPress Plugin
Date: Aug 18, 2024
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in weDevs weMail allows Reflected XSS.This issue affects weMail: from n/a through 1.14.5.
Affected versions: max 1.14.6.
Status: vulnerable

May 09, 2025

CVE, Research URL: CVE-2025-47540
Home page URL: Security reports for weMail – Email Marketing, Newsletter, Optin Forms, Subscribers WordPress Plugin
Application: weMail – Email Marketing, Newsletter, Optin Forms, Subscribers WordPress Plugin
Date: May 07, 2025
Research Description: Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs weMail allows Retrieve Embedded Sensitive Data. This issue affects weMail: from n/a through 1.14.13.
Affected versions: max 1.14.14.
Status: vulnerable

Jan 28, 2026

CVE, Research URL: CVE-2025-14348
Home page URL: Security reports for weMail – Email Marketing, Newsletter, Optin Forms, Subscribers WordPress Plugin
Application: weMail – Email Marketing, Newsletter, Optin Forms, Subscribers WordPress Plugin
Date: Jan 20, 2026
Research Description: The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 2.0.7. This is due to the plugin's REST API trusting the `x-wemail-user` HTTP header to identify users without verifying the request originates from an authenticated WordPress session. This makes it possible for unauthenticated attackers who know or can guess an admin email (easily enumerable via `/wp-json/wp/v2/users`) to impersonate that user and access the CSV subscriber endpoints, potentially exfiltrating subscriber PII (emails, names, phone numbers) from imported CSV files.
Affected versions: max 2.0.8.
Status: vulnerable