What the vulnerability does
01Description
The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail_install_yaysmtp' AJAX action and `/yaymail/v1/addons/activate` REST endpoint in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install and activate the YaySMTP plugin.
Explanation of Vulnerability in Simple Terms
02Summary
YayMail versions up to 4.3.2 lack proper authorization checks on certain administrative functions. A high-privileged user (such as a site administrator) can modify email settings in ways that exceed their intended permissions. The vulnerability has low integrity impact and requires administrative access to exploit.
What an attacker can do
03Attacker Capabilities
Modify email customization settings beyond their authorized scope.
Potential impact on your site
04Site Impact
A rogue admin or compromised admin account could alter WooCommerce email templates or settings inappropriately.
Conditions required to exploit
05Prerequisites
Attacker must have high-level administrative privileges on the WordPress site.
Key dates
06Disclosure timeline
February 18, 2026
CVE published
April 8, 2026
Record updated