EmailKit – Email Customizer for WooCommerce & WP < 1.6.3 – Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Title Modification | CVE 2026-1925 | Plugin Vulnerabilities

Description

The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'update_template_data' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the title of any post on the site, including posts, pages, and custom post types.

Affects Plugins

Fixed in 1.6.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/f131ea1e-d652-4854-abea-6a307ca8118f

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Chiao-Lin Yu (Steven Meow)

Verified

No

WPVDB ID

97ac4f77-3076-4661-a382-576a9f34a9e6

Timeline

Publicly Published

2026-02-17 (about 4 months ago)

Added

2026-02-17 (about 4 months ago)

Last Updated

2026-02-18 (about 4 months ago)

Other

Published

Title

Published

2025-10-24

Title

Product Filter by WBW < 3.0.1 - Missing Authorization to Unauthenticated Settings Update

Published

2023-01-16

Title

Stream < 3.9.2 - Subscriber+ Alert Creation

Published

2026-02-25

Title

Scientific and Interactive Blocks – inseri core <= 1.0.5 - Missing Authorization

Published

2026-04-21

Title

rtMedia for WordPress, BuddyPress and bbPress < 4.7.10 - Missing Authorization

Published

2025-04-04

Title

Display product variations dropdown on shop page <= 1.1.3 - Missing Authorization