Description
The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process.
Published: 2026-04-10
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the YML for Yandex Market WordPress plugin allows an attacker to trigger arbitrary code execution during the feed generation process. By exploiting this flaw, adversaries can run any commands on the underlying server, potentially compromising confidentiality, integrity, and availability of the entire website. The severity score of 6.5 indicates a moderate risk if the vulnerability is leveraged.

Affected Systems

WordPress installations that use the YML for Yandex Market plugin, specifically any deployment running a version older than 5.0.26. The vendor is currently unknown, but affected sites are those that have this plugin installed and are serving market feeds.

Risk and Exploitability

With a CVSS score of 6.5 and an EPSS below 1%, the likelihood of successful exploitation is considered low at present, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, the attack vector is remotely reachable through the web interface that initiates feed creation. Because the exploit requires no prior local access, attackers can target the plugin from anywhere with internet access.

Generated by OpenCVE AI on April 13, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the plugin version on all WordPress sites.
  • Update the YML for Yandex Market plugin to version 5.0.26 or later.
  • If an update is not yet available, disable or remove the plugin until a patch is released.
  • Restrict access to the feed generation endpoint to trusted administrators.
  • Monitor security advisories and the WPScan database for new updates.

Generated by OpenCVE AI on April 13, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 10:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-94

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Icopydoc
Icopydoc yml For Yandex Market
Wordpress
Wordpress wordpress
Vendors & Products Icopydoc
Icopydoc yml For Yandex Market
Wordpress
Wordpress wordpress

Fri, 10 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Description The YML for Yandex Market WordPress plugin before 5.0.26 is vulnerable to Remote Code Execution via the feed generation process.
Title YML for Yandex Market < 5.0.26 - Shop Manager+ RCE via Feed Generation
References

Subscriptions

Icopydoc Yml For Yandex Market
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-04-10T18:37:24.983Z

Reserved: 2025-12-11T15:36:38.497Z

Link: CVE-2025-14545

cve-icon Vulnrichment

Updated: 2026-04-10T18:36:40.515Z

cve-icon NVD

Status : Deferred

Published: 2026-04-10T07:16:19.607

Modified: 2026-04-15T15:05:47.827

Link: CVE-2025-14545

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:36:37Z

Weaknesses