Description
The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `yaymail_import_state` AJAX action in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Published: 2026-02-18
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Arbitrary Options Update
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from a missing capability check on the yaymail_import_state AJAX action in the YayMail – WooCommerce Email Customizer plugin. Authenticated users with Shop Manager or higher privileges can trigger this action and modify WordPress options arbitrarily. An attacker can change the default registration role to administrator or enable user registration, allowing the creation of an administrative account. This flaw directly leads to privilege escalation and compromise of site integrity.

Affected Systems

Victims are WordPress sites running the YayMail – WooCommerce Email Customizer plugin versions up to and including 4.3.2. Any installation of these versions, regardless of WordPress core version, is susceptible. The issue is present in all prior releases because the capability check was never added to the AJAX handler.

Risk and Exploitability

The CVSS base score is 7.2, indicating high severity. The EPSS score is below 1%, reflecting very low probability of exploitation in the wild at this time, and the vulnerability is not listed in the CISA KEV catalog. However, exploitation requires only an authenticated Shop Manager level account, which is often granted to legitimate staff. Once the action is triggered, the attacker can manipulate critical options without additional privileges, making the risk significant despite low external exploit prevalence. The attack vector is therefore internal, relying on social engineering or compromise of a legitimate administrator account.

Generated by OpenCVE AI on April 15, 2026 at 15:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the YayMail plugin to the latest version (4.3.3 or newer) that includes a capability check for the yaymail_import_state AJAX action.
  • If an upgrade cannot be performed immediately, edit the MigrationModel.php file to insert a capability check such as current_user_can('manage_options') before executing any option updates triggered by yaymail_import_state.
  • Restrict the Shop Manager role (or any role with the ability to trigger this action) from having the capability to update options, or remove that role from the site until the patch is applied.
  • Monitor user activity logs for unexpected usage of the yaymail_import_state action and review role assignments regularly to detect potential misuse.

Generated by OpenCVE AI on April 15, 2026 at 15:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 18 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Yaycommerce
Yaycommerce yaymail – Woocommerce Email Customizer
Vendors & Products Wordpress
Wordpress wordpress
Yaycommerce
Yaycommerce yaymail – Woocommerce Email Customizer

Wed, 18 Feb 2026 07:15:00 +0000

Type Values Removed Values Added
Description The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `yaymail_import_state` AJAX action in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Title YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Options Update via 'yaymail_import_state' AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Wordpress Wordpress
Yaycommerce Yaymail – Woocommerce Email Customizer
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-14T14:31:45.787Z

Reserved: 2026-02-04T21:18:36.457Z

Link: CVE-2026-1937

cve-icon Vulnrichment

Updated: 2026-02-18T14:23:11.664Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T07:16:10.093

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1937

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses