Is WordPress affected by CVE-2026-1937?

A critical vulnerability in the YayMail WordPress plugin allows unauthorized users to escalate privileges and modify data on affected websites, potentially leading to complete account takeover and site compromise.

CVE-2026-1937

HIGH

2026-02-18 [email protected]

7.2

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

CVE Published

Feb 18, 2026 - 07:16 nvd

HIGH 7.2

Description

The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `yaymail_import_state` AJAX action in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

Analysis

Unauthorized data modification in YayMail WooCommerce Email Customizer WordPress plugin allows unauthenticated attackers to modify email templates, potentially enabling phishing attacks against customers.

Remediation

Within 24 hours: Identify all WordPress instances running YayMail and document affected versions; disable the plugin immediately if not business-critical. Within 7 days: Evaluate alternative email customization solutions and plan migration strategy; implement WAF rules to block yaymail_import_state AJAX requests. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +36

POC: 0

CVE-2026-1937 vulnerability details – vuln.today

Back

CVE-2026-1937

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-1937

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code