CVE-2026-1938 in YayMail Plugin
Summary
by MITRE • 02/18/2026
The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized license key deletion due to a missing authorization check on the `/yaymail-license/v1/license/delete` REST endpoint in versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to delete the plugin's license key via the '/yaymail-license/v1/license/delete' endpoint granted they can obtain the REST API nonce.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/18/2026
The vulnerability identified in CVE-2026-1938 affects the YayMail WooCommerce Email Customizer plugin, specifically targeting versions up to and including 4.3.2. This security flaw resides within the plugin's REST API implementation and represents a critical authorization bypass issue that could significantly impact e-commerce operations. The vulnerability manifests through an unprotected REST endpoint that allows for the deletion of license keys without proper authentication verification. The issue stems from the absence of adequate access control mechanisms within the plugin's API architecture, creating a pathway for malicious actors to exploit legitimate administrative privileges.
The technical implementation of this vulnerability involves the `/yaymail-license/v1/license/delete` REST endpoint which lacks proper authorization checks. This endpoint operates without requiring additional verification beyond the basic authentication of the requesting user, allowing any authenticated user with Shop Manager-level permissions or higher to execute license key deletion commands. The vulnerability is particularly concerning because it leverages the existing REST API nonce mechanism, which should normally provide additional security layers but fails to prevent this specific type of unauthorized action. The flaw essentially creates a backdoor within the plugin's administrative interface that bypasses normal permission hierarchies.
From an operational perspective, this vulnerability poses significant risks to WordPress site administrators and e-commerce businesses relying on the YayMail plugin. The unauthorized deletion of license keys can result in immediate service disruption, as the plugin would lose its ability to function properly without a valid license. Attackers with Shop Manager access can exploit this weakness to render the email customization functionality inoperable, potentially affecting customer communication workflows and order processing notifications. The impact extends beyond simple service interruption to include potential revenue loss and customer experience degradation during critical business operations.
The security implications of this vulnerability align with CWE-863, which addresses "Incorrect Authorization" conditions in software systems. This classification specifically covers scenarios where access control checks are improperly implemented, allowing unauthorized users to perform privileged operations. The vulnerability also maps to ATT&CK technique T1078.004, which describes legitimate credentials usage for persistence and privilege escalation within application environments. Organizations should consider this weakness as part of a broader attack surface assessment, particularly in environments where multiple users have administrative capabilities. The exploitation of this vulnerability requires minimal technical expertise and can be accomplished through standard REST API interaction methods, making it particularly dangerous for widespread deployment.
Effective mitigation strategies for this vulnerability include immediate patching of the YayMail plugin to version 4.3.3 or later, which should contain the necessary authorization checks. Administrators should also implement network-level restrictions to limit access to REST API endpoints where possible, and consider disabling unnecessary API endpoints that are not actively used. Regular security audits of WordPress plugins and themes should include verification of API endpoint access controls, with particular attention to license management and administrative functions. Additionally, organizations should enforce strict access control policies ensuring that only essential personnel have Shop Manager or higher privileges within their WordPress installations, reducing the potential attack surface for exploitation.