Security Alert Summary
The YayMail – WooCommerce Email Customizer plugin for WordPress contains a vulnerability that allows modification of site options via an AJAX action due to a missing capability check. An authenticated actor with Shop Manager-level access (according to the CVE description) can update arbitrary options, which may be used to change the default role for new registrations and enable user registration, potentially resulting in attackers gaining administrative access.
CVE Details
- CVE ID: CVE-2026-1937
- Affected component: YayMail – WooCommerce Email Customizer plugin for WordPress
- Affected versions: All versions up to, and including, 4.3.2
- Published: February 18, 2026 at 07:16:10 AM UTC
- Last modified: February 18, 2026 at 07:16:10 AM UTC
- CVSS v3.1: Base Score 9.8 — CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - Authentication / Privileges / User Interaction (from CVSS data): Privileges Required: NONE; User Interaction: NONE; Attack Vector: NETWORK; Attack Complexity: LOW
- Primary impact (C/I/A): Confidentiality: HIGH; Integrity: HIGH; Availability: HIGH
- Weakness (CWE): CWE-862
Technical Details
The vulnerability is caused by a missing capability check on the yaymail_import_state AJAX action. Because that capability check is absent in the referenced code paths, it is possible for an attacker (the CVE description specifies authenticated actors with Shop Manager-level access and above) to trigger the action and update arbitrary WordPress options.
According to the CVE description, the flaw permits updating site options such as the default role for new registrations and the flag that enables user registration. By changing those options an attacker can configure the site to create or elevate accounts (for example setting the default registration role to administrator and enabling registrations), which can result in administrative user access on the vulnerable installation.
How This Could Impact Your Website
Consider a small e-commerce site that uses YayMail and has multiple user roles: a site owner, internal staff (store managers), and an external contractor who helps with email templates. If a store manager or other user account with the level of access described in the CVE is able to invoke the vulnerable AJAX action, they could change site options to permit new registrations and set the default role to administrator. Attackers could then create accounts that are granted administrative privileges, or modify existing options to weaken other safeguards.
Practical consequences include unauthorized administrative access, which can lead to changes in site configuration, addition or modification of content, and exposure of sensitive data. This also increases the risk of targeted phishing or social engineering campaigns against staff and customers if account data is exposed or administrative controls are abused. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
- Review and reduce unnecessary user roles and capabilities, especially for Shop Manager or similar privileged roles and contributors.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from the site.
- Monitor site activity and option changes for unusual behavior, and review recent changes to critical options such as
default_roleand user registration settings.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Models/MigrationModel.php#L143
- https://plugins.trac.wordpress.org/browser/yaymail/trunk/src/Models/MigrationModel.php#L143
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460087%40yaymail&new=3460087%40yaymail&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5a17ded3-340d-494f-be7e-2550dab360bc?source=cve