weMail WordPress Plugin Missing Authorization Vulnerability Allows Unauthenticated Form Deletion

A vulnerability exists in the weMail WordPress plugin, specifically in versions through 2.0.7, allowing unauthorized deletion of forms. The issue arises because the permission callback for form deletion only verifies the X-WP-Nonce header, without assessing user capabilities. This nonce is accessible to unauthenticated users via the weMail JavaScript object on pages with weMail forms. As a result, any unauthenticated individual can delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to the forms endpoint.

Impact

Exploitation of this vulnerability allows for unauthorized users to permanently delete weMail forms, potentially disrupting email marketing and lead generation activities.

Reproduction

To reproduce this vulnerability, access a WordPress page with weMail forms as an unauthenticated user. Extract the X-WP-Nonce from the weMail JavaScript object available in the page source. Then, send a DELETE request to the weMail forms endpoint, including the extracted nonce in the request header. This will result in the unauthorized deletion of all weMail forms.

Remediation

Users are advised to update the weMail WordPress plugin to version 2.0.8 or later, where this vulnerability has been patched.