cleantalk
Vulnerabilities and Security Researches

YayMail – WooCommerce Email Customizer, CVE-2026-1831

CVE, Research URL

CVE-2026-1831

Home page URL

Security reports for YayMail – WooCommerce Email Customizer

Application

YayMail – WooCommerce Email Customizer

Published on
Feb 18, 2026
Research Description
The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail_install_yaysmtp' AJAX action and `/yaymail/v1/addons/activate` REST endpoint in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install and activate the YaySMTP plugin.
Affected versions
max 4.3.3.
Status
vulnerable
Previous vulnerability researches
MC4WP: Mailchimp for WordPress (CVE-2026-1781) , Apr 14, 2026
MC4WP: Mailchimp for WordPress (CVE-2023-51682) , Jun 10, 2024
MC4WP: Mailchimp for WordPress (CVE-2021-36833) , Jun 06, 2024
MC4WP: Mailchimp for WordPress (CVE-2024-8850) , Sep 19, 2024
MC4WP: Mailchimp for WordPress (CVE-2016-10871) , Jun 06, 2024
New vulnerability
LeadConnector (CVE-2026-1890) , Apr 14, 2026
Master Addons for Elementor (CVE-2026-2486) , Apr 14, 2026
PDF Flipbook, 3D Flipbook – DearFlip (CVE-2026-2569) , Apr 14, 2026
Germanized for WooCommerce (CVE-2026-2582) , Apr 14, 2026
Gutenberg Blocks by Kadence Blocks – Page Builder Features (CVE-2026-2608) , Apr 14, 2026