GCVE - cpe:2.3:a:yaycommerce:yaymail_–_woocommerce_email

Approved changes feed: RSS · Atom

cpe:2.3:a:yaycommerce:yaymail_–_woocommerce_email_customizer:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Yaycommerce (`1c89574d-e9f5-5957-9e5e-4e06ca3f9fae`)
Product	Yaymail – Woocommerce Email Customizer (`82e940e9-edf8-528e-93ea-434c59d0e4a4`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-1943`	vulnerable	2026-06-08 07:49:09.883684	YayMail <= 4.3.2 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Template Elements MEDIUM (4.4) The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. Published: 2026-02-18T07:25:40.955Z Updated: 2026-04-08T17:00:58.740Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/73b4e5a2-bf75-4df9-a816-2cc858947c39?source=cve https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Controllers/TemplateController.php#L194 https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/templates/elements/text.php#L38 https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/templates/elements/order-details.php#L123 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460087%40yaymail&new=3460087%40yaymail&sfp_email=&sfph_mail=	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-1938`	vulnerable	2026-06-08 07:49:09.872016	YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) License Key Deletion via '/yaymail-license/v1/license/delete' Endpoint MEDIUM (5.3) The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized license key deletion due to a missing authorization check on the `/yaymail-license/v1/license/delete` REST endpoint in versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to delete the plugin's license key via the '/yaymail-license/v1/license/delete' endpoint granted they can obtain the REST API nonce. Published: 2026-02-18T07:25:40.480Z Updated: 2026-04-08T16:59:18.260Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/6ce57b12-2241-416b-b466-aa06ca8c7551?source=cve https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/License/RestAPI.php#L142 https://plugins.trac.wordpress.org/browser/yaymail/trunk/src/License/RestAPI.php#L142 https://plugins.trac.wordpress.org/changeset/3460087/	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-1937`	vulnerable	2026-06-08 07:49:09.871637	YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Options Update via 'yaymail_import_state' AJAX Action HIGH (7.2) The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `yaymail_import_state` AJAX action in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site. Published: 2026-02-18T06:42:41.042Z Updated: 2026-04-14T14:31:45.787Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/5a17ded3-340d-494f-be7e-2550dab360bc?source=cve https://plugins.trac.wordpress.org/browser/yaymail/trunk/src/Models/MigrationModel.php#L143 https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Models/MigrationModel.php#L143 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460087%40yaymail&new=3460087%40yaymail&sfp_email=&sfph_mail=	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-1831`	vulnerable	2026-06-08 07:49:09.724756	YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Plugin Installation and Activation LOW (2.7) The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail_install_yaysmtp' AJAX action and `/yaymail/v1/addons/activate` REST endpoint in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install and activate the YaySMTP plugin. Published: 2026-02-18T07:25:41.707Z Updated: 2026-04-08T17:13:15.693Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/a568162a-5a2d-47ab-9dfe-2f2f5f324f0d?source=cve https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Ajax.php#L183 https://plugins.trac.wordpress.org/browser/yaymail/trunk/src/Ajax.php#L183 https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Controllers/AddonController.php#L76 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460087%40yaymail&new=3460087%40yaymail&sfp_email=&sfph_mail=#file11	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.

Yaymail – Woocommerce Email Customizer

PURL mappings

Vulnerability references

Contribute