CVE-2026-1937

Name of the Vulnerable Software and Affected Versions YayMail – WooCommerce Email Customizer plugin for WordPress versions through 4.3.2

Description The YayMail – WooCommerce Email Customizer plugin for WordPress is susceptible to unauthorized data modification, potentially leading to privilege escalation. A missing capability check on the yaymail import state AJAX action allows authenticated attackers with Shop Manager-level access or higher to modify arbitrary options on the WordPress site. This can be exploited to elevate user privileges, such as changing the default registration role to administrator and enabling user registration for unauthorized access. The yaymail import state action is the component affected.

Recommendations Update YayMail – WooCommerce Email Customizer plugin to a version later than 4.3.2.