CVE-2026-1831 - Vulnerability Details

- YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Plugin Installation and Activation

Description

The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail_install_yaysmtp' AJAX action and `/yaymail/v1/addons/activate` REST endpoint in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install and activate the YaySMTP plugin.

Published: 2026-02-18

Score: 2.7 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The YayMail WooCommerce Email Customizer contains missing capability checks on the AJAX action 'yaymail_install_yaysmtp' and the REST endpoint '/yaymail/v1/addons/activate', permitting authenticated users with Shop Manager or higher roles to install and activate the YaySMTP plugin. This flaw allows an attacker to add additional code to the site without proper authorization, potentially leading to broader privilege escalation or malicious plugin deployment.

Affected Systems

The vulnerability affects all YayMail plugin versions up to 4.3.2 installed on WordPress sites. Users who have the Shop Manager role or higher within WooCommerce should consider these installations as impacted.

Risk and Exploitability

The CVSS score of 2.7 indicates low severity, and the EPSS score of less than 1% reflects a very small likelihood of exploitation. The flaw is not listed in the CISA KEV catalog, suggesting no publicly known exploit. The likely attack vector is through a compromised authenticated session on the WordPress admin interface or via a REST call, with the attacker needing at least Shop Manager privileges. Exploitation would allow installation of a third‑party plugin without proper authorization, potentially compromising site functionality or enabling further attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

yaycommerce

YayMail – WooCommerce Email Customizer

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.3.2

No data.

Vendor Product Confidence Versions

Wordpress

90%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Yaycommerce

Yaymail – Woocommerce Email Customizer

100%

Version	Status	Scheme	Platform
`[0,4.3.2]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade YayMail to version 4.3.3 or later, where missing capability checks have been fixed.
Verify that the 'yaymail_install_yaysmtp' AJAX action and '/yaymail/v1/addons/activate' REST endpoint no longer respond to requests from users without administrative privileges.
If an immediate upgrade is not possible, adjust user roles (e.g., with a role editor plugin) to remove the capability that allows plugin activation from the Shop Manager role, thereby enforcing least privilege principles.

Generated by OpenCVE AI on April 15, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Ajax.php#L183
https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Controllers/AddonController.php#L76
https://plugins.trac.wordpress.org/browser/yaymail/trunk/src/Ajax.php#L183
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460087%40yaymail&new=3460087%40yaymail&sfp_email=&sfph_mail=#file11
https://www.wordfence.com/threat-intel/vulnerabilities/id/a568162a-5a2d-47ab-9dfe-2f2f5f324f0d?source=cve

History

Wed, 18 Feb 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 18 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Yaycommerce Yaycommerce yaymail – Woocommerce Email Customizer
Vendors & Products		Wordpress Wordpress wordpress Yaycommerce Yaycommerce yaymail – Woocommerce Email Customizer

Wed, 18 Feb 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail_install_yaysmtp' AJAX action and `/yaymail/v1/addons/activate` REST endpoint in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install and activate the YaySMTP plugin.
Title		YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Plugin Installation and Activation
Weaknesses		CWE-862
References		https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Ajax.php#L183 https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Controllers/AddonController.php#L76 https://plugins.trac.wordpress.org/browser/yaymail/trunk/src/Ajax.php#L183 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460087%40yaymail&new=3460087%40yaymail&sfp_email=&sfph_mail=#file11 https://www.wordfence.com/threat-intel/vulnerabilities/id/a568162a-5a2d-47ab-9dfe-2f2f5f324f0d?source=cve
Metrics		cvssV3_1 `{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

Yaycommerce Yaymail – Woocommerce Email Customizer

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-18T07:25:41.707Z

Updated: 2026-04-08T17:13:15.693Z

Reserved: 2026-02-03T14:41:20.453Z

Link: CVE-2026-1831

Vulnrichment

Updated: 2026-02-18T12:25:02.669Z

NVD

Status : Deferred

Published: 2026-02-18T08:16:14.873

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1831

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object