CVE-2026-1938 Overview
The YayMail – WooCommerce Email Customizer plugin for WordPress contains a missing authorization vulnerability in its REST API endpoint. Specifically, the /yaymail-license/v1/license/delete endpoint lacks proper authorization checks, allowing authenticated attackers with Shop Manager-level access or above to delete the plugin's license key without proper permission validation. This broken access control issue (CWE-862) affects versions up to and including 4.3.2.
Critical Impact
Authenticated attackers with Shop Manager privileges can delete the plugin's license key, potentially disrupting email customization functionality and forcing organizations to re-license the product.
Affected Products
- YayMail – WooCommerce Email Customizer plugin for WordPress versions up to and including 4.3.2
- WordPress sites running vulnerable YayMail plugin versions with REST API enabled
- WooCommerce stores utilizing YayMail for email customization
Discovery Timeline
- 2026-02-18 - CVE-2026-1938 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-1938
Vulnerability Analysis
This vulnerability represents a classic missing authorization flaw (CWE-862) in the YayMail plugin's license management REST API. The vulnerable code resides in the RestAPI.php file within the License module, specifically around line 142 where the license deletion endpoint is registered.
The core issue is that while the endpoint requires authentication, it fails to verify whether the authenticated user actually has the appropriate permissions to perform license key deletion operations. Shop Manager-level users, who should only have access to manage store operations, can exploit this endpoint to delete the plugin's license key if they can obtain a valid REST API nonce.
This type of authorization bypass vulnerability allows for horizontal privilege escalation within the WordPress administrative context, where users can perform actions beyond their intended role capabilities.
Root Cause
The root cause of this vulnerability lies in the improper implementation of the REST API endpoint handler for license deletion. The /yaymail-license/v1/license/delete endpoint fails to include a proper capability check or permission callback that would verify the requesting user has administrator-level privileges before processing the license deletion request. The code only validates the REST API nonce for CSRF protection but neglects to verify user capabilities.
Attack Vector
The attack vector requires network access to the WordPress REST API and authenticated access with at least Shop Manager-level privileges. An attacker would need to:
- Authenticate to WordPress with a Shop Manager or higher-level account
- Obtain a valid REST API nonce (typically available to authenticated users)
- Send a crafted request to the /yaymail-license/v1/license/delete endpoint
- The endpoint processes the deletion without verifying administrator capabilities
The vulnerability is exploitable via the network (AV:N) with low attack complexity (AC:L), requiring no user interaction but necessitating valid authentication credentials.
The vulnerable endpoint can be accessed by sending a DELETE or POST request to the REST API route at /wp-json/yaymail-license/v1/license/delete. The attack leverages the absence of a permission_callback that properly validates user capabilities against the manage_options capability or a custom capability requirement. See the WordPress YayMail License Source for technical implementation details.
Detection Methods for CVE-2026-1938
Indicators of Compromise
- Unexpected license key deletion events in WordPress or YayMail plugin logs
- REST API requests to /wp-json/yaymail-license/v1/license/delete from non-administrator accounts
- Sudden loss of YayMail premium functionality without administrative action
- Anomalous activity from Shop Manager accounts accessing license-related endpoints
Detection Strategies
- Monitor WordPress REST API logs for requests targeting /yaymail-license/v1/license/delete endpoints
- Implement Web Application Firewall (WAF) rules to alert on suspicious REST API patterns from non-admin users
- Review user activity logs for Shop Manager accounts performing unexpected administrative actions
- Enable WordPress audit logging plugins to track REST API endpoint access by user role
Monitoring Recommendations
- Configure alerting for any access to license management REST endpoints by non-administrator users
- Establish baseline REST API activity patterns and alert on deviations involving license endpoints
- Implement real-time monitoring of WooCommerce and YayMail plugin state changes
- Deploy SentinelOne Singularity to detect and prevent exploitation attempts targeting WordPress installations
How to Mitigate CVE-2026-1938
Immediate Actions Required
- Update the YayMail plugin to version 4.3.3 or later immediately
- Audit Shop Manager accounts for any unauthorized license deletion activity
- Review WordPress REST API access logs for evidence of exploitation
- Consider temporarily restricting Shop Manager REST API access until patching is complete
Patch Information
The vulnerability has been addressed in the WordPress Changeset #3460087. The fix adds proper authorization checks to the license deletion endpoint, ensuring only users with appropriate capabilities can perform this action. Site administrators should update to the patched version through the WordPress plugin dashboard or by downloading the latest version from the WordPress plugin repository.
For additional technical details about this vulnerability, refer to the Wordfence Vulnerability Analysis.
Workarounds
- Restrict Shop Manager account creation to trusted personnel only
- Implement additional REST API authentication layers using security plugins
- Use a Web Application Firewall to block unauthorized access to sensitive REST endpoints
- Consider disabling the YayMail license REST API endpoints at the web server level if not required
# Example: Block access to vulnerable endpoint via .htaccess (Apache)
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/yaymail-license/v1/license/delete [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
