Vulnerabilities and security researches foryaymail yaymail

Mar 29, 2026

CVE, Research URL: CVE-2026-27327
Home page URL: Security reports for YayMail – WooCommerce Email Customizer
Application: YayMail – WooCommerce Email Customizer
Date: Feb 20, 2026
Research Description: Missing Authorization vulnerability in YayCommerce YayMail – WooCommerce Email Customizer yaymail allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YayMail – WooCommerce Email Customizer: from n/a through <= 4.3.2.
Affected versions: max 4.3.2.
Status: vulnerable

Apr 13, 2026

CVE, Research URL: CVE-2026-39496
Home page URL: Security reports for YayMail – WooCommerce Email Customizer
Application: YayMail – WooCommerce Email Customizer
Date: Apr 08, 2026
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YayMail yaymail allows Blind SQL Injection.This issue affects YayMail: from n/a through <= 4.3.3.
Affected versions: max 4.3.4.
Status: vulnerable

Apr 14, 2026

CVE, Research URL: CVE-2026-1943
Home page URL: Security reports for YayMail – WooCommerce Email Customizer
Application: YayMail – WooCommerce Email Customizer
Date: Feb 18, 2026
Research Description: The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.3.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: max 4.3.3.
Status: vulnerable

CVE, Research URL: CVE-2026-1831
Home page URL: Security reports for YayMail – WooCommerce Email Customizer
Application: YayMail – WooCommerce Email Customizer
Date: Feb 18, 2026
Research Description: The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail_install_yaysmtp' AJAX action and `/yaymail/v1/addons/activate` REST endpoint in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install and activate the YaySMTP plugin.
Affected versions: max 4.3.3.
Status: vulnerable

CVE, Research URL: CVE-2026-1938
Home page URL: Security reports for YayMail – WooCommerce Email Customizer
Application: YayMail – WooCommerce Email Customizer
Date: Feb 18, 2026
Research Description: The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized license key deletion due to a missing authorization check on the `/yaymail-license/v1/license/delete` REST endpoint in versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to delete the plugin's license key via the '/yaymail-license/v1/license/delete' endpoint granted they can obtain the REST API nonce.
Affected versions: max 4.3.3.
Status: vulnerable

CVE, Research URL: CVE-2026-1937
Home page URL: Security reports for YayMail – WooCommerce Email Customizer
Application: YayMail – WooCommerce Email Customizer
Date: Feb 18, 2026
Research Description: The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `yaymail_import_state` AJAX action in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
Affected versions: max 4.3.3.
Status: vulnerable

Apr 28, 2026

PSC, Research URL: PSC-2026-64649
Home page URL: Security reports for YayMail – WooCommerce Email Customizer
Application: YayMail – WooCommerce Email Customizer
Date: Apr 28, 2026
Research Description: WooCommerce email customization plugins operate on a sensitive boundary between order data, customer communication, template rendering, and admin-side content editing. These plugins often process customer names, billing and shipping details, order metadata, payment-related labels, coupons, custom fields, and transactional email content. A weakness in this class of plugin can lead to stored XSS in email templates or admin previews, unauthorized modification of transactional communications, data leakage through shortcodes or preview logic, or abuse of import/export and template management functionality. YayMail – WooCommerce Email Customizer version 4.4.0 has successfully completed the CleanTalk Plugin Security Certification process and received PSC-2026-64649, confirming that the plugin was reviewed from a secure code perspective with attention to the most common exploitation paths for WooCommerce email template, shortcode, preview, and customization plugins.
Affected versions: Min 4.4.0, max 4.4.0.
Status: SAFE & CERTIFIED