Unauthorized Data Modification in YayMail – WooCommerce Email Customizer Plugin
CVE-2026-1937

7.2HIGH

Key Information:

Vendor: WordPress
Status: Yaymail – WooCommerce Email Customizer
Vendor: CVE Published:; 18 February 2026

What is CVE-2026-1937?

The YayMail – WooCommerce Email Customizer plugin for WordPress is susceptible to unauthorized data modification due to a lack of necessary capability checks on the yaymail_import_state AJAX action. This vulnerability affects all versions up to and including 4.3.2, allowing authenticated users with Shop Manager-level access and above to arbitrarily update critical site options. Notably, this can enable malicious actors to alter the default user role settings to administrator, facilitating unauthorized user registration and potential site takeover.

Affected Version(s)

YayMail – WooCommerce Email Customizer 0 <= 4.3.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/yaymail/trunk/...

https://plugins.trac.wordpress.org/browser/yaymail/tags/4...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 18, 2026
Vulnerability Reserved
Feb 4, 2026

Credit

whizzu

CVE-2026-1937 Data

JSON