Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
EmailKit Plugin Allows Unapproved Changes to Posts
CVE-2026-1925
Summary
A security issue in the EmailKit plugin for WordPress allows attackers to modify post titles, including posts, pages, and custom post types, without permission. This could lead to unauthorized changes to site content. To protect your site, update the EmailKit plugin to the latest version.
Original title
The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'update_template_data' function in...
Original description
The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'update_template_data' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the title of any post on the site, including posts, pages, and custom post types.
nvd CVSS3.1
4.3
Vulnerability type
CWE-862
Missing Authorization
- https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.2/includes/Admin/Em...
- https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/EmailKi...
- https://plugins.trac.wordpress.org/changeset/3456972/emailkit/trunk?contextall=1...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f131ea1e-d652-4854-abe...
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026