CVE-2026-1831 in YayMail Plugin
Summary
by MITRE • 02/18/2026
The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail_install_yaysmtp' AJAX action and `/yaymail/v1/addons/activate` REST endpoint in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install and activate the YaySMTP plugin.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/18/2026
The vulnerability identified as CVE-2026-1831 affects the YayMail - WooCommerce Email Customizer plugin for WordPress, specifically targeting versions up to and including 4.3.2. This security flaw represents a critical authorization bypass issue that allows authenticated attackers with Shop Manager privileges or higher to exploit the plugin's functionality for unauthorized plugin installation and activation. The vulnerability stems from insufficient capability checks within the plugin's codebase, creating a pathway for privilege escalation through legitimate plugin management interfaces.
The technical implementation of this vulnerability occurs through two primary attack vectors: the 'yaymail_install_yaysmtp' AJAX action and the '/yaymail/v1/addons/activate' REST endpoint. Both pathways lack proper capability verification mechanisms that should normally validate user permissions before executing sensitive operations. This absence of access control validation means that any authenticated user with Shop Manager level permissions can invoke these endpoints to install and activate the YaySMTP plugin without proper authorization. The flaw directly violates fundamental security principles of least privilege and proper access control enforcement.
From an operational perspective, this vulnerability creates significant risks for WordPress e-commerce environments using the affected plugin. Attackers with Shop Manager access can leverage this vulnerability to install additional plugins, potentially introducing malicious code or compromising the site's security posture. The ability to activate plugins through these endpoints bypasses normal WordPress security controls and could enable attackers to establish persistent access, deploy backdoors, or gain elevated privileges within the WordPress environment. This vulnerability effectively undermines the security model of WordPress user roles and permissions, allowing attackers to escalate their privileges beyond what their assigned capabilities should permit.
The impact of this vulnerability extends beyond simple unauthorized plugin installation as it represents a foundational security weakness that could enable more sophisticated attacks. Security researchers categorize this type of flaw under CWE-863, which addresses "Incorrect Authorization," and aligns with ATT&CK techniques related to privilege escalation and persistence. Organizations using the affected plugin versions face increased risk of compromise, particularly in environments where Shop Manager roles are granted to users who should not have such elevated privileges. The vulnerability also demonstrates poor security implementation practices that could affect other similar plugin functionalities and highlights the importance of comprehensive security testing for WordPress plugins.
Effective mitigation strategies for this vulnerability include immediate patching to version 4.3.3 or later, which should contain the necessary capability checks and authorization controls. System administrators should also implement additional monitoring of plugin installation and activation events through WordPress logging mechanisms and security plugins. Role-based access control should be reviewed to ensure that Shop Manager users have appropriate permissions for their operational needs, and that unnecessary plugin management capabilities are restricted. Organizations should conduct comprehensive security assessments of their WordPress environments to identify similar vulnerabilities in other plugins and ensure proper implementation of authorization controls across all custom and third-party components.