Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
2.7
Unauthorized Email Plugin Installation in YayMail for WooCommerce
CVE-2026-1831
Summary
The YayMail plugin for WooCommerce is insecure, allowing an attacker with manager-level access to install and activate a different email plugin without permission. This could lead to malicious email sending or other security risks. Update the plugin to version 4.3.3 or later to fix this issue.
Original title
The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail_install_yaysmtp' AJ...
Original description
The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail_install_yaysmtp' AJAX action and `/yaymail/v1/addons/activate` REST endpoint in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install and activate the YaySMTP plugin.
nvd CVSS3.1
2.7
Vulnerability type
CWE-862
Missing Authorization
- https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Ajax.php#L183
- https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Controllers/Ad...
- https://plugins.trac.wordpress.org/browser/yaymail/trunk/src/Ajax.php#L183
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a568162a-5a2d-47ab-9df...
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026