Skip to main content

YayMail CVE-2026-39498

| EUVD-2026-36945 HIGH
Deserialization of Untrusted Data (CWE-502)
2026-06-15 Patchstack GHSA-h674-wp7j-pj7m
PHP Deserialization Yaymail
7.2
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.2 HIGH

Network-reachable WordPress admin (AV:N, AC:L), requires Shop Manager role (PR:H), no user interaction (UI:N); PHP object injection typically yields full C/I/A within the web app scope.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 22:26 vuln.today

DescriptionCVE.org

Shop manager PHP Object Injection in YayMail <= 4.3.3 versions.

AnalysisAI

PHP Object Injection in the YayMail WordPress plugin (versions ≤ 4.3.3) allows authenticated users with Shop Manager privileges to inject crafted serialized PHP objects and trigger deserialization on the server. Successful exploitation can lead to high-impact compromise of confidentiality, integrity, and availability of the WordPress site, though no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Shop Manager credentials
Delivery
Authenticate to WordPress admin
Exploit
Submit crafted serialized payload to YayMail endpoint
Execution
Trigger unserialize() of attacker data
Persist
Execute gadget chain in PHP context
Impact
Achieve code execution or data tampering
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress session with the WooCommerce Shop Manager role (or higher) on a site running YayMail ≤ 4.3.3, plus network reach to the WordPress admin interface - no end-user interaction is needed once authenticated. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2 High) reflects network-reachable exploitation by a high-privileged (Shop Manager) account with no user interaction, yielding full C/I/A impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who obtains Shop Manager credentials - through phishing, password reuse, or insider access - logs into the WordPress admin and submits a crafted serialized PHP payload to a YayMail endpoint that calls unserialize() on the input. The payload instantiates a gadget chain from WordPress, WooCommerce, or another plugin, leading to arbitrary file write, SQL execution, or code execution under the web server account. …
Remediation Upstream fix available per Patchstack advisory; released patched version not independently confirmed in the provided data, so administrators should upgrade YayMail to the latest version published by yeeaddons above 4.3.3 by consulting the advisory at https://patchstack.com/database/wordpress/plugin/yaymail/vulnerability/wordpress-yaymail-plugin-4-3-3-php-object-injection-vulnerability and the WordPress plugin repository. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for YayMail ≤ 4.3.3; restrict Shop Manager role assignment to essential personnel only; enable detailed admin action logging. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-55692 HIGH POC
7.5 Jun 19

Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
CVE-2026-9815 MEDIUM POC
6.5 Jun 18

Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
CVE-2026-48908 CRITICAL
10.0 Jun 20

Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through

CVE-2026-48939 CRITICAL
10.0 Jun 20

Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
CVE-2025-69108 CRITICAL
9.8 Jun 16

Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers

Share

CVE-2026-39498 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy