The plugin’s REST endpoint for deleting its license key performs no proper authorization check, allowing any authenticated user with Shop Manager level or higher to trigger license deletion if they can supply a valid nonce. Removing the license key deactivates the plugin, which in turn disables WooCommerce email functionality and can disrupt order notifications and marketing emails. The flaw is a permission bypass that results in denial of service to the email component rather than data theft or code execution.

WordPress sites that install YayCommerce YayMail – WooCommerce Email Customizer versions 4.3.0 through 4.3.2 are affected. The vulnerability resides in the License/RestAPI.php file, beginning near line 142, and applies to all WordPress installations running those plugin versions regardless of PHP or WordPress version.

The CVSS score of 5.3 reflects moderate severity, and the EPSS score of less than 1% indicates a low current likelihood of exploitation, which is consistent with the absence of a KEV listing. Exploitation requires an authenticated account with Shop Manager privileges and the ability to obtain or guess a valid REST API nonce—conditions that favor an internal threat actor or a compromised credential rather than an external attacker. Prompt patching is therefore advised to prevent service disruption for eCommerce stores.