cbcvebase.
CVE-2026-1831
published 2026-02-18

CVE-2026-1831: The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability…

PriorityP411low2.7CVSS 3.1
AVNACLPRHUINSUCNILAN
EPSS
0.29%
20.9th percentile
The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail_install_yaysmtp' AJAX action and `/yaymail/v1/addons/activate` REST endpoint in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install and activate the YaySMTP plugin.

Affected

1 ranges
VendorProductVersion rangeFixed in
yaycommerceyaymail_woocommerce_email_customizer<= 4.3.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.