Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
YayMail – WooCommerce Email Customizer plugin: Unauthorized License Deletion
CVE-2026-1938
Summary
If an attacker with Shop Manager-level access gets the necessary code, they can delete the plugin's license key, which could cause the plugin to stop working. This affects the YayMail – WooCommerce Email Customizer plugin for WordPress, and you should update to the latest version to prevent this problem. Update to version 4.3.3 or later to fix the issue.
Original title
The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized license key deletion due to a missing authorization check on the `/yaymail-license/v1/license/delete` R...
Original description
The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized license key deletion due to a missing authorization check on the `/yaymail-license/v1/license/delete` REST endpoint in versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to delete the plugin's license key via the '/yaymail-license/v1/license/delete' endpoint granted they can obtain the REST API nonce.
nvd CVSS3.1
5.3
Vulnerability type
CWE-862
Missing Authorization
- https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/License/RestAP...
- https://plugins.trac.wordpress.org/browser/yaymail/trunk/src/License/RestAPI.php...
- https://plugins.trac.wordpress.org/changeset/3460087/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/6ce57b12-2241-416b-b46...
Published: 18 Feb 2026 · Updated: 14 Mar 2026 · First seen: 6 Mar 2026