Yaymail
Monthly
PHP Object Injection in the YayMail WordPress plugin (versions ≤ 4.3.3) allows authenticated users with Shop Manager privileges to inject crafted serialized PHP objects and trigger deserialization on the server. Successful exploitation can lead to high-impact compromise of confidentiality, integrity, and availability of the WordPress site, though no public exploit identified at time of analysis. The flaw is reported by Patchstack and tracked as EUVD-2026-36945.
SQL injection in YayCommerce YayMail plugin through version 4.3.3 enables authenticated administrators with high privileges to extract sensitive database information via blind SQL injection attacks. The vulnerability allows cross-scope confidentiality impact, meaning attackers can access data beyond their normal authorization boundaries. No public exploit identified at time of analysis, with EPSS score of 0.02% (6th percentile) indicating very low probability of exploitation in the wild.
PHP Object Injection in the YayMail WordPress plugin (versions ≤ 4.3.3) allows authenticated users with Shop Manager privileges to inject crafted serialized PHP objects and trigger deserialization on the server. Successful exploitation can lead to high-impact compromise of confidentiality, integrity, and availability of the WordPress site, though no public exploit identified at time of analysis. The flaw is reported by Patchstack and tracked as EUVD-2026-36945.
SQL injection in YayCommerce YayMail plugin through version 4.3.3 enables authenticated administrators with high privileges to extract sensitive database information via blind SQL injection attacks. The vulnerability allows cross-scope confidentiality impact, meaning attackers can access data beyond their normal authorization boundaries. No public exploit identified at time of analysis, with EPSS score of 0.02% (6th percentile) indicating very low probability of exploitation in the wild.