CVE-2026-1831 LOW

CVE-2026-1831: YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Plugin Installation and Activation

Vendor Yaycommerce
Product YayMail – WooCommerce Email Customizer
Weakness CWE-862 · Missing authorization
Published February 18, 2026
Last update April 8, 2026

CVSS base score

2.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail_install_yaysmtp' AJAX action and `/yaymail/v1/addons/activate` REST endpoint in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install and activate the YaySMTP plugin.

Explanation of Vulnerability in Simple Terms

02Summary

YayMail versions up to 4.3.2 lack proper authorization checks on certain administrative functions. A high-privileged user (such as a site administrator) can modify email settings in ways that exceed their intended permissions. The vulnerability has low integrity impact and requires administrative access to exploit.

What an attacker can do

03Attacker Capabilities

Modify email customization settings beyond their authorized scope.

Potential impact on your site

04Site Impact

A rogue admin or compromised admin account could alter WooCommerce email templates or settings inappropriately.

Conditions required to exploit

05Prerequisites

Attacker must have high-level administrative privileges on the WordPress site.

Key dates

06Disclosure timeline

February 18, 2026 CVE published
April 8, 2026 Record updated