CVE-2026-1925 MEDIUM

CVE-2026-1925: EmailKit – Email Customizer for WooCommerce & WP <= 1.6.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Title Modification

Vendor Roxnor
Product EmailKit – Email Customizer for WooCommerce & WP
Weakness CWE-862 · Missing authorization
Published February 18, 2026
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'update_template_data' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the title of any post on the site, including posts, pages, and custom post types.

Explanation of Vulnerability in Simple Terms

02Summary

EmailKit for WooCommerce & WordPress versions up to 1.6.2 lack proper authorization checks on certain functions. A logged-in user with low privileges can modify email templates or settings without proper permission verification. This affects the integrity of email communications sent to customers. Update to a version newer than 1.6.2.

What an attacker can do

03Attacker Capabilities

Modify email templates or settings without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users could alter transactional emails, potentially disrupting customer communications or injecting malicious content.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress user account (e.g., subscriber or contributor).

Key dates

06Disclosure timeline

February 18, 2026 CVE published
April 8, 2026 Record updated