Skip to main content

Yaymail EUVD-2026-20162

| CVE-2026-39496 HIGH
SQL Injection (CWE-89)
2026-04-08 Patchstack GHSA-rpq4-pw8v-6f38
SQLi Yaymail
7.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.6 HIGH
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

5
Re-analysis Queued
Apr 24, 2026 - 18:22 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:26 vuln.today
CVSS changed
Apr 13, 2026 - 20:22 NVD
7.6 (HIGH)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20162
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YayMail yaymail allows Blind SQL Injection.This issue affects YayMail: from n/a through <= 4.3.3.

AnalysisAI

SQL injection in YayCommerce YayMail plugin through version 4.3.3 enables authenticated administrators with high privileges to extract sensitive database information via blind SQL injection attacks. The vulnerability allows cross-scope confidentiality impact, meaning attackers can access data beyond their normal authorization boundaries. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Compromise admin credentials via phishing
Delivery
Authenticate to WordPress admin panel
Exploit
Navigate to YayMail plugin interface
Install
Inject SQL payload in vulnerable parameter
C2
Execute blind SQL queries via timing/boolean techniques
Execute
Extract database contents including cross-scope data
Impact
Exfiltrate sensitive information
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must possess valid WordPress administrator-level credentials (PR:H requirement from CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is significantly constrained despite the 7.6 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has compromised WordPress administrator credentials (through phishing, password reuse, or session hijacking) authenticates to the WordPress admin panel and navigates to YayMail plugin configuration pages. They craft malicious input containing SQL injection payloads in plugin parameters that interact with database queries, exploiting improper input sanitization. …
Remediation Upgrade YayMail plugin to a version newer than 4.3.3 immediately through the WordPress admin dashboard (Plugins > Installed Plugins > YayMail > Update) or via manual installation from the official WordPress plugin repository. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: inventory all WordPress installations using YayMail plugin and document current versions. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-20162 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy