PT-2026-20293 · Unknown+1 · Woocommerce+1
Daniel Basta
+1
·
Published
2026-02-18
·
Updated
2026-02-27
·
CVE-2026-1937
CVSS v3.1
7.2
High
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
YayMail – WooCommerce Email Customizer plugin for WordPress versions through 4.3.2
Description
The YayMail – WooCommerce Email Customizer plugin for WordPress is susceptible to unauthorized data modification, potentially leading to privilege escalation. A missing capability check on the
yaymail import state AJAX action allows authenticated attackers with Shop Manager-level access or higher to modify arbitrary options on the WordPress site. This can be exploited to elevate user privileges, such as changing the default registration role to administrator and enabling user registration for unauthorized access. The yaymail import state action is the component affected.Recommendations
Update YayMail – WooCommerce Email Customizer plugin to a version later than 4.3.2.
Fix
LPE
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Woocommerce
Yaymail – Woocommerce Email Customizer