{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1943", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-04T21:33:51.301Z", "datePublished": "2026-02-18T07:25:40.955Z", "dateUpdated": "2026-04-08T17:00:58.740Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:58.740Z"}, "affected": [{"vendor": "yaycommerce", "product": "YayMail \u2013 WooCommerce Email Customizer", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.3.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The YayMail \u2013 WooCommerce Email Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "YayMail <= 4.3.2 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Template Elements", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73b4e5a2-bf75-4df9-a816-2cc858947c39?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Controllers/TemplateController.php#L194"}, {"url": "https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/templates/elements/text.php#L38"}, {"url": "https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/templates/elements/order-details.php#L123"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460087%40yaymail&new=3460087%40yaymail&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Daniel Basta"}], "timeline": [{"time": "2026-02-05T17:24:28.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T18:44:08.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T12:25:05.948367Z", "id": "CVE-2026-1943", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:52:18.900Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1943", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T12:25:05.948367Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:25:07.072Z"}}], "cna": {"title": "YayMail <= 4.3.2 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Template Elements", "credits": [{"lang": "en", "type": "finder", "value": "Daniel Basta"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "yaycommerce", "product": "YayMail \u2013 WooCommerce Email Customizer", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.3.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-05T17:24:28.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T18:44:08.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73b4e5a2-bf75-4df9-a816-2cc858947c39?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Controllers/TemplateController.php#L194"}, {"url": "https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/templates/elements/text.php#L38"}, {"url": "https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/templates/elements/order-details.php#L123"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460087%40yaymail&new=3460087%40yaymail&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The YayMail \u2013 WooCommerce Email Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:00:58.740Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1943", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:00:58.740Z", "dateReserved": "2026-02-04T21:33:51.301Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T07:25:40.955Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The YayMail \u2013 WooCommerce Email Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}, {"lang": "es", "value": "El plugin YayMail \u2013 WooCommerce Email Customizer para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de la configuraci\u00f3n en todas las versiones hasta la 4.3.2, inclusive, debido a una sanitizaci\u00f3n de entrada insuficiente y un escape de salida deficiente. Esto permite a atacantes autenticados, con permisos de nivel de 'Shop Manager' o superiores, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un usuario acceda a una p\u00e1gina inyectada. Esto solo afecta a instalaciones multisitio y a instalaciones donde 'unfiltered_html' ha sido deshabilitado."}], "id": "CVE-2026-1943", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T08:16:15.373", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Controllers/TemplateController.php#L194"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/templates/elements/order-details.php#L123"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/templates/elements/text.php#L38"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460087%40yaymail&new=3460087%40yaymail&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/73b4e5a2-bf75-4df9-a816-2cc858947c39?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 90.0, "confidence_source": "inferred", "scores": [{"score": 90.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.3.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "YayMail \u2013 WooCommerce Email Customizer", "source": "cna", "vendor": "yaycommerce"}, "product": "yaymail_\u2013_woocommerce_email_customizer", "vendor": "yaycommerce"}], "analysis": {"en": {"generated_at": "2026-04-15T18:16:11.765496+00:00", "value": {"mitigation_remediation": ["Update YayMail to the latest version (\u22654.3.3) to eliminate the stored XSS flaw.", "If an upgrade is not yet possible, remove or downgrade Shop Manager or higher users to limit write access to template settings, or set the 'unfiltered_html' capability to true for these roles.", "Ensure that all template output is properly escaped or filter the content before rendering; consider overriding the plugin\u2019s template functions to enforce encoding."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All installations of the YayMail \u2013 WooCommerce Email Customizer plugin built by YayCommerce up to and including version 4.3.2 are affected. The flaw is active only on WordPress multisite environments or sites where the 'unfiltered_html' capability is disabled, so any multisite blog or standard site with this capability restriction is potentially impacted.", "description_and_impact": "The vulnerability in the YayMail \u2013 WooCommerce Email Customizer plugin allows an authenticated user with Shop Manager or higher permissions to inject malicious JavaScript via unsanitized template settings. Because the input is stored and later rendered in email templates, the attacker can place arbitrary scripts that will execute whenever users view an affected page or email. This stored XSS can lead to cookie theft, session hijacking, defacement, or other malicious actions, while affecting the confidentiality, integrity, and availability of the site's front\u2011end content.", "risk_and_exploitability": "The CVSS score is 4.4, indicating moderate risk. The EPSS score is below 1%, suggesting active exploitation is currently rare, and the vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate and possess Shop Manager or higher role permissions, but once they do they can persistently store malicious scripts that will run in the browsers of any user viewing the affected pages. Because the exploit requires only injection of template content via the plugin\u2019s admin interface, external tooling is unnecessary."}}}}, "created": "2026-02-18T10:32:30.286269+00:00", "updated": "2026-04-15T18:30:10.927056+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "yaycommerce", "yaycommerce$PRODUCT$yaymail_\u2013_woocommerce_email_customizer"]}