CVE-2026-1943 - Vulnerability Details

- YayMail <= 4.3.2 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Template Elements

Description

The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

Published: 2026-02-18

Score: 4.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in the YayMail – WooCommerce Email Customizer plugin allows an authenticated user with Shop Manager or higher permissions to inject malicious JavaScript via unsanitized template settings. Because the input is stored and later rendered in email templates, the attacker can place arbitrary scripts that will execute whenever users view an affected page or email. This stored XSS can lead to cookie theft, session hijacking, defacement, or other malicious actions, while affecting the confidentiality, integrity, and availability of the site's front‑end content.

Affected Systems

All installations of the YayMail – WooCommerce Email Customizer plugin built by YayCommerce up to and including version 4.3.2 are affected. The flaw is active only on WordPress multisite environments or sites where the 'unfiltered_html' capability is disabled, so any multisite blog or standard site with this capability restriction is potentially impacted.

Risk and Exploitability

The CVSS score is 4.4, indicating moderate risk. The EPSS score is below 1%, suggesting active exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate and possess Shop Manager or higher role permissions, but once they do they can persistently store malicious scripts that will run in the browsers of any user viewing the affected pages. Because the exploit requires only injection of template content via the plugin’s admin interface, external tooling is unnecessary.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

yaycommerce

YayMail – WooCommerce Email Customizer

unaffected

Version	Status	Constraints
`0`	affected	≤ 4.3.2

No data.

Vendor Product Confidence Versions

Wordpress

90%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Yaycommerce

Yaymail – Woocommerce Email Customizer

100%

Version	Status	Scheme	Platform
`[0,4.3.2]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update YayMail to the latest version (≥4.3.3) to eliminate the stored XSS flaw.
If an upgrade is not yet possible, remove or downgrade Shop Manager or higher users to limit write access to template settings, or set the 'unfiltered_html' capability to true for these roles.
Ensure that all template output is properly escaped or filter the content before rendering; consider overriding the plugin’s template functions to enforce encoding.

Generated by OpenCVE AI on April 15, 2026 at 18:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0001.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Controllers/TemplateController.php#L194
https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/templates/elements/order-details.php#L123
https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/templates/elements/text.php#L38
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460087%40yaymail&new=3460087%40yaymail&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/73b4e5a2-bf75-4df9-a816-2cc858947c39?source=cve

History

Wed, 18 Feb 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 18 Feb 2026 11:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Wordpress Wordpress wordpress Yaycommerce Yaycommerce yaymail – Woocommerce Email Customizer
Vendors & Products		Wordpress Wordpress wordpress Yaycommerce Yaycommerce yaymail – Woocommerce Email Customizer

Wed, 18 Feb 2026 07:45:00 +0000

Type	Values Removed	Values Added
Description		The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Title		YayMail <= 4.3.2 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Template Elements
Weaknesses		CWE-79
References		https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Controllers/TemplateController.php#L194 https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/templates/elements/order-details.php#L123 https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/templates/elements/text.php#L38 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460087%40yaymail&new=3460087%40yaymail&sfp_email=&sfph_mail= https://www.wordfence.com/threat-intel/vulnerabilities/id/73b4e5a2-bf75-4df9-a816-2cc858947c39?source=cve
Metrics		cvssV3_1 `{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}`

Subscriptions

Wordpress Wordpress

Yaycommerce Yaymail – Woocommerce Email Customizer

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-02-18T07:25:40.955Z

Updated: 2026-04-08T17:00:58.740Z

Reserved: 2026-02-04T21:33:51.301Z

Link: CVE-2026-1943

Vulnrichment

Updated: 2026-02-18T12:25:07.072Z

NVD

Status : Deferred

Published: 2026-02-18T08:16:15.373

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1943

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T18:30:10Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required High

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object