{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1937", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T21:18:36.457Z", "datePublished": "2026-02-18T06:42:41.042Z", "dateUpdated": "2026-04-14T14:31:45.787Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:57.735Z"}, "affected": [{"vendor": "yaycommerce", "product": "YayMail \u2013 WooCommerce Email Customizer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.3.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The YayMail \u2013 WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `yaymail_import_state` AJAX action in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site."}], "title": "YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Options Update via 'yaymail_import_state' AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a17ded3-340d-494f-be7e-2550dab360bc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/yaymail/trunk/src/Models/MigrationModel.php#L143"}, {"url": "https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Models/MigrationModel.php#L143"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460087%40yaymail&new=3460087%40yaymail&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Daniel Basta"}], "timeline": [{"time": "2026-02-05T17:24:28.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T18:41:54.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:31:39.996463Z", "id": "CVE-2026-1937", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:31:45.787Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1937", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T14:31:39.996463Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T14:23:11.664Z"}}], "cna": {"title": "YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Options Update via 'yaymail_import_state' AJAX Action", "credits": [{"lang": "en", "type": "finder", "value": "Daniel Basta"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "yaycommerce", "product": "YayMail \u2013 WooCommerce Email Customizer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.3.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-05T17:24:28.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T18:41:54.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a17ded3-340d-494f-be7e-2550dab360bc?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/yaymail/trunk/src/Models/MigrationModel.php#L143"}, {"url": "https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Models/MigrationModel.php#L143"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460087%40yaymail&new=3460087%40yaymail&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The YayMail \u2013 WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `yaymail_import_state` AJAX action in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:54:57.735Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1937", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:31:45.787Z", "dateReserved": "2026-02-04T21:18:36.457Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T06:42:41.042Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The YayMail \u2013 WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `yaymail_import_state` AJAX action in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site."}, {"lang": "es", "value": "El plugin YayMail \u2013 WooCommerce Email Customizer para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos que puede conducir a una escalada de privilegios debido a una falta de verificaci\u00f3n de capacidad en la acci\u00f3n AJAX 'yaymail_import_state' en todas las versiones hasta la 4.3.2, inclusive. Esto permite a atacantes autenticados, con acceso de nivel de 'Shop Manager' o superior, actualizar opciones arbitrarias en el sitio de WordPress. Esto puede ser aprovechado para actualizar el rol predeterminado para el registro a administrador y habilitar el registro de usuarios para que los atacantes obtengan acceso de usuario administrativo a un sitio vulnerable."}], "id": "CVE-2026-1937", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-02-18T07:16:10.093", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Models/MigrationModel.php#L143"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/yaymail/trunk/src/Models/MigrationModel.php#L143"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460087%40yaymail&new=3460087%40yaymail&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a17ded3-340d-494f-be7e-2550dab360bc?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "inferred", "scores": [{"score": 100.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.3.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "YayMail \u2013 WooCommerce Email Customizer", "source": "cna", "vendor": "yaycommerce"}, "product": "yaymail_\u2013_woocommerce_email_customizer", "vendor": "yaycommerce"}], "analysis": {"en": {"generated_at": "2026-04-15T15:13:00.100188+00:00", "value": {"mitigation_remediation": ["Upgrade the YayMail plugin to the latest version (4.3.3 or newer) that includes a capability check for the yaymail_import_state AJAX action.", "If an upgrade cannot be performed immediately, edit the MigrationModel.php file to insert a capability check such as current_user_can('manage_options') before executing any option updates triggered by yaymail_import_state.", "Restrict the Shop Manager role (or any role with the ability to trigger this action) from having the capability to update options, or remove that role from the site until the patch is applied.", "Monitor user activity logs for unexpected usage of the yaymail_import_state action and review role assignments regularly to detect potential misuse."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via Arbitrary Options Update"}, "threat_synthesis": {"affected_systems": "Victims are WordPress sites running the YayMail \u2013 WooCommerce Email Customizer plugin versions up to and including 4.3.2. Any installation of these versions, regardless of WordPress core version, is susceptible. The issue is present in all prior releases because the capability check was never added to the AJAX handler.", "description_and_impact": "The vulnerability arises from a missing capability check on the yaymail_import_state AJAX action in the YayMail \u2013 WooCommerce Email Customizer plugin. Authenticated users with Shop Manager or higher privileges can trigger this action and modify WordPress options arbitrarily. An attacker can change the default registration role to administrator or enable user registration, allowing the creation of an administrative account. This flaw directly leads to privilege escalation and compromise of site integrity.", "risk_and_exploitability": "The CVSS base score is 7.2, indicating high severity. The EPSS score is below 1%, reflecting very low probability of exploitation in the wild at this time, and the vulnerability is not listed in the CISA KEV catalog. However, exploitation requires only an authenticated Shop Manager level account, which is often granted to legitimate staff. Once the action is triggered, the attacker can manipulate critical options without additional privileges, making the risk significant despite low external exploit prevalence. The attack vector is therefore internal, relying on social engineering or compromise of a legitimate administrator account."}}}}, "created": "2026-02-18T10:32:38.896408+00:00", "updated": "2026-04-15T17:30:10.444379+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "yaycommerce", "yaycommerce$PRODUCT$yaymail_\u2013_woocommerce_email_customizer"], "weaknesses": ["CWE-862"]}