Impact
The vulnerability is a PHP Object Injection flaw in the YayMail WordPress plugin versions up to 4.3.3. By injecting malicious serialized objects, an attacker can manipulate the plugin’s internal data structures and achieve arbitrary code execution, compromising the confidentiality, integrity, and availability of the WordPress site. This weakness is classified as CWE‑502: Deserialization of Untrusted Data.
Affected Systems
The affected product is the YayMail email marketing plugin developed by Yeeaddons. Versions up to and including 4.3.3 are vulnerable. All WordPress sites that have this plugin installed and have not applied the latest update are at risk.
Risk and Exploitability
The CVSS score is 7.2, indicating a high severity. However, the EPSS score is below 1 %, suggesting that exploitation activity is currently very low. The vulnerability is not listed in the CISA KEV catalog. It is likely that an attacker can exploit the flaw through input that reaches the plugin’s serialization handling, such as form submissions or configuration payloads. No public exploit code is known, so the likelihood of immediate exploitation is low, but the potential impact warrants prompt action.
OpenCVE Enrichment