Description
The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'update_template_data' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the title of any post on the site, including posts, pages, and custom post types.
Published: 2026-02-18
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Post Title Modification
Action: Update Plugin
AI Analysis

Impact

The EmailKit – Email Customizer for WooCommerce & WP plugin contains a missing capability check in the update_template_data function, allowing authenticated users with Subscriber or higher access to change the title of any post on the site. This flaw permits arbitrary alteration of content titles, undermining the integrity of posts, pages, and custom post types. The vulnerability is classified as CWE-862, representing a failure to fully authorize data modification actions.

Affected Systems

The affected product is the EmailKit – Email Customizer for WooCommerce & WP plugin distributed by roxnor, impacting all WordPress installations that use this plugin up to and including version 1.6.2. WordPress sites employing WooCommerce or similar custom post type setups are within scope.

Risk and Exploitability

With a CVSS score of 4.3 and an EPSS score of less than 1%, the technical severity is moderate to low and the likelihood of exploitation is low. The flaw is not listed in the CISA KEV catalog. Attackers must be able to log in to the site with at least Subscriber privileges; once authenticated, they can invoke the vulnerable AJAX endpoint to modify post titles. No public exploit code is known, and the impact is confined to content integrity rather than full compromise.

Generated by OpenCVE AI on April 15, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the EmailKit – Email Customizer for WooCommerce & WP plugin to a version newer than 1.6.2 that implements proper capability checks.
  • If an immediate plugin update is not possible, restrict or remove the Subscriber role’s capability to manage posts or to invoke the update_template_data endpoint via custom code or a security plugin.
  • Consider restricting access to the AJAX endpoint by adding authentication middleware or by hardening file permissions to prevent unauthorized access.

Generated by OpenCVE AI on April 15, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Roxnor
Roxnor emailkit – Email Customizer For Woocommerce & Wp
Wordpress
Wordpress wordpress
Vendors & Products Roxnor
Roxnor emailkit – Email Customizer For Woocommerce & Wp
Wordpress
Wordpress wordpress

Wed, 18 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'update_template_data' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the title of any post on the site, including posts, pages, and custom post types.
Title EmailKit – Email Customizer for WooCommerce & WP <= 1.6.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Title Modification
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Roxnor Emailkit – Email Customizer For Woocommerce & Wp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:32:23.607Z

Reserved: 2026-02-04T19:32:44.061Z

Link: CVE-2026-1925

cve-icon Vulnrichment

Updated: 2026-02-18T12:25:27.308Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T05:16:28.803

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1925

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses