YayMail < 4.3.3 – Shop Manager+ Arbitrary Options Update | CVE 2026-1937 | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `yaymail_import_state` AJAX action. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Affects Plugins

Fixed in 4.3.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/5a17ded3-340d-494f-be7e-2550dab360bc

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

whizzu

Verified

No

WPVDB ID

07240cfd-8bbe-4574-8e48-b82f0851949e

Timeline

Publicly Published

2026-02-17 (about 3 months ago)

Added

2026-02-17 (about 3 months ago)

Last Updated

2026-02-18 (about 3 months ago)

Other

Published

Title

Published

2024-04-25

Title

Five Star Restaurant Reservations < 2.6.17 - Missing Authorization

Published

2025-02-03

Title

SocialV - Social Network and Community BuddyPress Theme < 2.0.16 - Missing Authorization to Arbitrary File Download

Published

2026-05-13

Title

WPBakery Page Builder < 8.7.3 - Missing Authorization

Published

2026-02-11

Title

PDF for Elementor Forms + Drag And Drop Template Builder < 6.5.0 - Missing Authorization

Published

2025-04-17

Title

Master Slider <= 3.11.0 - Missing Authorization