CVE-2026-1937
📋 TL;DR
The YayMail WordPress plugin has a privilege escalation vulnerability that allows authenticated attackers with Shop Manager access or higher to modify WordPress site options. This can be exploited to change the default user registration role to administrator and enable user registration, granting administrative access. All WordPress sites using YayMail plugin versions up to 4.3.2 are affected.
💻 Affected Systems
- YayMail – WooCommerce Email Customizer WordPress Plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers gain administrative access, install backdoors, steal data, deface the site, or use it for further attacks.
Likely Case
Attackers gain administrative privileges, modify site settings, install malicious plugins/themes, and potentially compromise the entire WordPress installation.
If Mitigated
Limited impact if proper access controls, monitoring, and least privilege principles are already implemented.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once an attacker has Shop Manager credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.3.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460087%40yaymail&new=3460087%40yaymail&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find YayMail plugin and click 'Update Now'. 4. Verify version is 4.3.3 or higher.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the YayMail plugin until patched
wp plugin deactivate yaymail
wp plugin delete yaymail
Restrict user roles
allReview and limit Shop Manager and Administrator accounts to trusted users only
🧯 If You Can't Patch
- Implement strict access controls and monitor all Shop Manager and Administrator accounts
- Deploy web application firewall rules to block suspicious AJAX requests to yaymail_import_state
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → YayMail version. If version is 4.3.2 or lower, you are vulnerable.Check Version:
wp plugin get yaymail --field=versionVerify Fix Applied:
After updating, verify YayMail version shows 4.3.3 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual AJAX requests to admin-ajax.php with action=yaymail_import_state
- Unexpected changes to WordPress options like default_role or users_can_register
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php containing yaymail_import_state parameter
SIEM Query:
source="wordpress.log" AND "admin-ajax.php" AND "yaymail_import_state"🔗 References
- https://plugins.trac.wordpress.org/browser/yaymail/tags/4.3.2/src/Models/MigrationModel.php#L143
- https://plugins.trac.wordpress.org/browser/yaymail/trunk/src/Models/MigrationModel.php#L143
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3460087%40yaymail&new=3460087%40yaymail&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/5a17ded3-340d-494f-be7e-2550dab360bc?source=cve
