{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1938", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T21:22:11.865Z", "datePublished": "2026-02-18T07:25:40.480Z", "dateUpdated": "2026-04-08T16:59:18.260Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:18.260Z"}, "affected": [{"vendor": "yaycommerce", "product": "YayMail \u2013 WooCommerce Email Customizer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.3.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The YayMail \u2013 WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized license key deletion due to a missing authorization check on the `/yaymail-license/v1/license/delete` REST endpoint in versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to delete the plugin's license key via the '/yaymail-license/v1/license/delete' endpoint granted they can obtain the REST API nonce."}], "title": "YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) License Key Deletion via '/yaymail-license/v1/license/delete' Endpoint", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ce57b12-2241-416b-b466-aa06ca8c7551?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/License/RestAPI.php#L142"}, {"url": "https://plugins.trac.wordpress.org/browser/yaymail/trunk/src/License/RestAPI.php#L142"}, {"url": "https://plugins.trac.wordpress.org/changeset/3460087/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Daniel Basta"}], "timeline": [{"time": "2026-02-05T17:24:28.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T19:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T12:26:27.988345Z", "id": "CVE-2026-1938", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:52:25.936Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1938", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T12:26:27.988345Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:26:29.215Z"}}], "cna": {"title": "YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) License Key Deletion via '/yaymail-license/v1/license/delete' Endpoint", "credits": [{"lang": "en", "type": "finder", "value": "Daniel Basta"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "yaycommerce", "product": "YayMail \u2013 WooCommerce Email Customizer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.3.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-05T17:24:28.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T19:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ce57b12-2241-416b-b466-aa06ca8c7551?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/License/RestAPI.php#L142"}, {"url": "https://plugins.trac.wordpress.org/browser/yaymail/trunk/src/License/RestAPI.php#L142"}, {"url": "https://plugins.trac.wordpress.org/changeset/3460087/"}], "descriptions": [{"lang": "en", "value": "The YayMail \u2013 WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized license key deletion due to a missing authorization check on the `/yaymail-license/v1/license/delete` REST endpoint in versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to delete the plugin's license key via the '/yaymail-license/v1/license/delete' endpoint granted they can obtain the REST API nonce."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:59:18.260Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1938", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:59:18.260Z", "dateReserved": "2026-02-04T21:22:11.865Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T07:25:40.480Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The YayMail \u2013 WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized license key deletion due to a missing authorization check on the `/yaymail-license/v1/license/delete` REST endpoint in versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to delete the plugin's license key via the '/yaymail-license/v1/license/delete' endpoint granted they can obtain the REST API nonce."}, {"lang": "es", "value": "El plugin YayMail \u2013 WooCommerce Email Customizer para WordPress es vulnerable a la eliminaci\u00f3n no autorizada de claves de licencia debido a una falta de verificaci\u00f3n de autorizaci\u00f3n en el endpoint REST `/yaymail-license/v1/license/delete` en versiones hasta la 4.3.2, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel 'Shop Manager' o superior, eliminen la clave de licencia del plugin a trav\u00e9s del endpoint '/yaymail-license/v1/license/delete' siempre que puedan obtener el nonce de la API REST."}], "id": "CVE-2026-1938", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T08:16:15.207", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/License/RestAPI.php#L142"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/yaymail/trunk/src/License/RestAPI.php#L142"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3460087/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6ce57b12-2241-416b-b466-aa06ca8c7551?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.3.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "YayMail \u2013 WooCommerce Email Customizer", "source": "cna", "vendor": "yaycommerce"}, "product": "yaymail_\u2013_woocommerce_email_customizer", "vendor": "yaycommerce"}], "analysis": {"en": {"generated_at": "2026-04-15T18:16:39.137066+00:00", "value": {"mitigation_remediation": ["Upgrade YayMail to the latest released version that fixes the missing authorization on the license delete endpoint.", "If an upgrade is not immediately available, modify the plugin files or use a custom code snippet to block the '/yaymail-license/v1/license/delete' REST endpoint for all roles except administrators.", "Re\u2011evaluate the necessity of Shop Manager privileges for users and revoke such privileges from staff who do not need them."], "summary": {"action": "Apply Patch", "impact": "Unauthorized License Key Deletion"}, "threat_synthesis": {"affected_systems": "WordPress sites that install YayCommerce YayMail \u2013 WooCommerce Email Customizer versions 4.3.0 through 4.3.2 are affected. The vulnerability resides in the License/RestAPI.php file, beginning near line 142, and applies to all WordPress installations running those plugin versions regardless of PHP or WordPress version.", "description_and_impact": "The plugin\u2019s REST endpoint for deleting its license key performs no proper authorization check, allowing any authenticated user with Shop Manager level or higher to trigger license deletion if they can supply a valid nonce. Removing the license key deactivates the plugin, which in turn disables WooCommerce email functionality and can disrupt order notifications and marketing emails. The flaw is a permission bypass that results in denial of service to the email component rather than data theft or code execution.", "risk_and_exploitability": "The CVSS score of 5.3 reflects moderate severity, and the EPSS score of less than 1% indicates a low current likelihood of exploitation, which is consistent with the absence of a KEV listing. Exploitation requires an authenticated account with Shop Manager privileges and the ability to obtain or guess a valid REST API nonce\u2014conditions that favor an internal threat actor or a compromised credential rather than an external attacker. Prompt patching is therefore advised to prevent service disruption for eCommerce stores."}}}}, "created": "2026-02-18T10:32:31.195546+00:00", "updated": "2026-04-15T18:30:10.928053+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "yaycommerce", "yaycommerce$PRODUCT$yaymail_\u2013_woocommerce_email_customizer"]}