weMail WordPress Plugin Authorization Bypass Vulnerability in REST API

A vulnerability allowing authorization bypass has been identified in the weMail WordPress plugin, specifically in versions through 2.0.7. The issue arises because the plugin's REST API relies on the 'x-wemail-user' HTTP header for user identification, without confirming that the request comes from an authenticated WordPress session. This flaw enables unauthenticated attackers who can guess or know an admin's email—easily obtainable from the WordPress REST API user endpoint—to impersonate that user. Exploitation of this vulnerability allows access to CSV subscriber endpoints, potentially leading to the unauthorized extraction of personal information, such as emails, names, and phone numbers, from CSV files imported into the plugin.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive subscriber information, including personal identifiable information (PII) such as email addresses, names, and phone numbers, from imported CSV files.

Reproduction

To reproduce this vulnerability, send a request to the weMail CSV subscriber endpoints using the 'x-wemail-user' header to impersonate an admin user. The request must be made without authentication, taking advantage of the plugin's lack of proper session verification. This can be done by guessing or knowing an admin email, which can be found through the WordPress REST API.

Remediation

Users are advised to update the weMail WordPress plugin to version 2.0.8 or later.