cbcvebase.
CVE-2026-1938
published 2026-02-18

CVE-2026-1938: The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized license key deletion due to a missing authorization check on the…

PriorityP433medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
0.31%
22.3th percentile
The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized license key deletion due to a missing authorization check on the `/yaymail-license/v1/license/delete` REST endpoint in versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to delete the plugin's license key via the '/yaymail-license/v1/license/delete' endpoint granted they can obtain the REST API nonce.

Affected

1 ranges
VendorProductVersion rangeFixed in
yaycommerceyaymail_woocommerce_email_customizer<= 4.3.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.