WP-Safety

YayMail – WooCommerce Email Customizer Security & Risk Analysis

wordpress.org/plugins/yaymail

Customize WooCommerce email templates with an advanced drag-and-drop email builder. Works great with 80+ WooCommerce Email Customizer Addons.

50K active installs v4.3.4 PHP 5.4+ WP 4.7+ Updated Mar 12, 2026
drag-and-dropemail-builderemail-templateswoocommerce-email-customizerwoocommerce-emails
91
A · Safe
CVEs total4
Unpatched0
Last CVEFeb 17, 2026
Plugin page Download
Safety Verdict

Is YayMail – WooCommerce Email Customizer Safe to Use in 2026?

Generally Safe

Score 91/100

YayMail – WooCommerce Email Customizer has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Feb 17, 2026Updated 22d ago
Risk Assessment

The "yaymail" plugin version 4.3.4 presents a mixed security posture. Static analysis reveals a robust adherence to many WordPress security best practices, with all identified entry points (AJAX handlers) protected by nonce and capability checks. The plugin also demonstrates excellent SQL query sanitization, with 100% using prepared statements, and a very high rate of properly escaped output (97%). This indicates a strong effort by the developers to mitigate common web vulnerabilities within the codebase itself.

However, the presence of the `unserialize` function is a significant concern. While not flagged in the taint analysis for this specific version, `unserialize` is inherently risky as it can lead to Remote Code Execution if used with untrusted input. The vulnerability history further highlights this concern, with a history of 4 CVEs, including one critical and two medium severity vulnerabilities, with past common types being Cross-Site Scripting and Missing Authorization. The last vulnerability was in February 2026, which is surprisingly in the future and likely a data entry error, but the pattern of past vulnerabilities warrants attention. The plugin's overall security is strengthened by its internal checks, but the historical trend and the `unserialize` function remain potential weak points.

In conclusion, while "yaymail" v4.3.4 has made significant strides in secure coding practices, particularly concerning SQL and output escaping, the residual risk from the `unserialize` function and its past vulnerability history cannot be ignored. Developers should thoroughly review all uses of `unserialize` and ensure robust validation of any data processed by it. Continuous monitoring and timely patching of future vulnerabilities are crucial for maintaining a secure environment.

Key Concerns

  • Usage of unserialize function
  • Past critical vulnerability
  • Past medium vulnerabilities (2)
  • Past low vulnerability
Vulnerabilities
4

YayMail – WooCommerce Email Customizer Security Vulnerabilities

CVEs by Year

4 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
1
Medium
2
Low
1

4 total CVEs

CVE-2026-1938medium · 5.3Missing Authorization

YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) License Key Deletion via '/yaymail-license/v1/license/delete' Endpoint

Feb 17, 2026 Patched in 4.3.3 (1d)
CVE-2026-1831low · 2.7Missing Authorization

YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Plugin Installation and Activation

Feb 17, 2026 Patched in 4.3.3 (1d)
CVE-2026-1943medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

YayMail <= 4.3.2 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Template Elements

Feb 17, 2026 Patched in 4.3.3 (1d)
CVE-2026-1937critical · 9.8Missing Authorization

YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Options Update via 'yaymail_import_state' AJAX Action

Feb 17, 2026 Patched in 4.3.3 (1d)
Code Analysis
Analyzed Mar 16, 2026

YayMail – WooCommerce Email Customizer Code Analysis

Dangerous Functions
1
Raw SQL Queries
0
30 prepared
Unescaped Output
37
1047 escaped
Nonce Checks
27
Capability Checks
20
File Operations
4
External Requests
6
Bundled Libraries
0

Dangerous Functions Found

unserialize$unserialized = @unserialize( $value, [ 'allowed_classes' => false ] );src\Models\MigrationModel.php:40

SQL Query Safety

100% prepared30 total queries

Output Escaping

97% escaped1084 total outputs
Data Flows
All sanitized

Data Flow Analysis

5 flows
send_test_mail (src\Ajax.php:306)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

YayMail – WooCommerce Email Customizer Attack Surface

Entry Points19
Unprotected0

AJAX Handlers 19

authwp_ajax_yaymail_preview_mailsrc\Ajax.php:26
authwp_ajax_yaymail_preview_mail_for_woosrc\Ajax.php:27
authwp_ajax_yaymail_send_test_mailsrc\Ajax.php:28
authwp_ajax_yaymail_install_yaysmtpsrc\Ajax.php:29
authwp_ajax_yaymail_get_custom_hook_htmlsrc\Ajax.php:30
authwp_ajax_yaymail_get_template_data_onloadsrc\Ajax.php:31
authwp_ajax_yaymail_export_templatessrc\Ajax.php:32
authwp_ajax_yaymail_import_templatessrc\Ajax.php:33
authwp_ajax_yaymail_reviewsrc\Ajax.php:34
authwp_ajax_yaymail_change_ghf_toursrc\Ajax.php:35
authwp_ajax_yaymail_dismiss_multi_select_noticesrc\Ajax.php:36
authwp_ajax_yaymail_export_statesrc\Ajax.php:37
authwp_ajax_yaymail_import_statesrc\Ajax.php:38
authwp_ajax_yaymail_dismiss_new_element_notificationsrc\Ajax.php:39
authwp_ajax_yaymail_dismiss_suggest_addons_noticesrc\Notices\Ajax.php:19
authwp_ajax_yaymail_dismiss_upgrade_noticesrc\Notices\Ajax.php:20
authwp_ajax_yay_recommended_get_plugin_datasrc\YayCommerceMenu\OtherPluginsMenu.php:27
authwp_ajax_yay_recommended_activate_pluginsrc\YayCommerceMenu\OtherPluginsMenu.php:28
authwp_ajax_yay_recommended_upgrade_pluginsrc\YayCommerceMenu\OtherPluginsMenu.php:29
WordPress Hooks 92
filterwp_save_post_revision_post_has_changedsrc\Controllers\RevisionController.php:28
filterwp_save_post_revisionsrc\Controllers\RevisionController.php:29
filterwc_get_templatesrc\Emails\CancelledOrder.php:29
filterwc_get_templatesrc\Emails\CustomerCancelledOrder.php:29
filterwc_get_templatesrc\Emails\CustomerCompletedOrder.php:29
filterwc_get_templatesrc\Emails\CustomerFailedOrder.php:29
filterwc_get_templatesrc\Emails\CustomerInvoice.php:29
filterwc_get_templatesrc\Emails\CustomerNewAccount.php:31
filteryaymail_trigger_to_preview_emailsrc\Emails\CustomerNewAccount.php:32
actionyaymail_trigger_emailsrc\Emails\CustomerNewAccount.php:38
filterwc_get_templatesrc\Emails\CustomerNote.php:29
filterwc_get_templatesrc\Emails\CustomerOnHoldOrder.php:31
filterwc_get_templatesrc\Emails\CustomerPOSCompletedOrder.php:31
filterwc_get_templatesrc\Emails\CustomerPOSRefundedOrder.php:33
filterwc_get_templatesrc\Emails\CustomerProcessingOrder.php:30
filterwc_get_templatesrc\Emails\CustomerRefundedOrder.php:31
filterwc_get_templatesrc\Emails\CustomerResetPassword.php:32
actionyaymail_before_email_contentsrc\Emails\EmailsLoader.php:23
actionyaymail_after_email_contentsrc\Emails\EmailsLoader.php:24
filtersafe_style_csssrc\Emails\EmailsLoader.php:29
filterwoocommerce_email_stylessrc\Emails\EmailsLoader.php:30
filterwc_get_templatesrc\Emails\FailedOrder.php:30
filterwc_get_templatesrc\Emails\NewOrder.php:30
actionadmin_menusrc\Engine\Backend\SettingsPage.php:34
actionadmin_enqueue_scriptssrc\Engine\Backend\SettingsPage.php:35
filterplugin_row_metasrc\Engine\Backend\SettingsPage.php:38
filtermce_external_pluginssrc\Engine\Backend\SettingsPage.php:39
filterwoocommerce_email_setting_columnssrc\Engine\Backend\SettingsPage.php:42
actionwoocommerce_email_setting_column_yaymail_customizersrc\Engine\Backend\SettingsPage.php:43
actionadmin_enqueue_scriptssrc\Engine\Backend\SettingsPage.php:46
actionyaymail_after_enqueue_scriptssrc\Engine\Backend\SettingsPage.php:93
actionrest_api_initsrc\Engine\RestAPI.php:25
actioninitsrc\I18n.php:17
filteryaymail_translationssrc\I18n.php:18
actioninitsrc\Initialize.php:48
actionadmin_headsrc\Integrations\AdminAndSiteEnhancements\AdminAndSiteEnhancements.php:28
actionyaymail_register_shortcodessrc\Integrations\DHL\DHLIntegration.php:19
filteryaymail_shipping_address_contentsrc\Integrations\F4ShippingPhoneAndEmailForWooCommerce\F4ShippingPhoneAndEmailForWooCommerce.php:28
filterrank_math/sitemap/exclude_post_typesrc\Integrations\RankMath.php:21
actioninitsrc\Integrations\RankMath.php:34
filterpre_set_site_transient_update_pluginssrc\License\EDD_SL_Plugin_Updater.php:74
filterplugins_apisrc\License\EDD_SL_Plugin_Updater.php:75
actionadmin_initsrc\License\EDD_SL_Plugin_Updater.php:78
filterpre_set_site_transient_update_pluginssrc\License\EDD_SL_Plugin_Updater.php:254
filterplugins_listsrc\License\LicenseHandler.php:37
actionadmin_enqueue_scriptssrc\License\LicenseHandler.php:39
actionyaycommerce_licenses_pagesrc\License\LicenseHandler.php:40
filteryaycommerce_licensing_pluginssrc\License\LicenseHandler.php:41
actionadmin_noticessrc\License\LicenseHandler.php:44
actionadmin_initsrc\License\LicenseHandler.php:56
filterauto_update_pluginsrc\License\LicenseHandler.php:57
filtercron_schedulessrc\License\LicenseHandler.php:70
actioncheck_license_cronsrc\License\LicenseHandler.php:71
actionrest_api_initsrc\License\RestAPI.php:12
actionyaymail_run_addon_migrationssrc\Migrations\AbstractAddonMigrationManager.php:93
filteryaymail_required_migration_namessrc\Migrations\AbstractAddonMigrationManager.php:94
filteryaymail_migration_backup_datasrc\Migrations\AbstractAddonMigrationManager.php:95
actionadmin_noticessrc\Notices\NoticeMain.php:36
actionadmin_noticessrc\Notices\NoticeMain.php:40
actionadmin_footersrc\Notices\NoticeMain.php:107
actioninitsrc\PostTypes\TemplatePostType.php:29
filteryaymail_preview_email_woo_additional_order_idsrc\PreviewEmail\Integration\WcSubscriptions.php:15
actionyaymail_preview_email_woo_additional_order_triggersrc\PreviewEmail\Integration\WcSubscriptions.php:16
filterwoocommerce_new_order_email_allows_resendsrc\PreviewEmail\PreviewEmailWoo.php:48
filteryaymail_is_preview_emailsrc\PreviewEmail\PreviewEmailWoo.php:49
filterwoocommerce_email_preview_dummy_ordersrc\PreviewEmail\PreviewEmailWoo.php:114
filteryaymail_extra_shortcodessrc\Shortcodes\LegacyCustomShortcodes.php:22
filteryaymail_extra_shortcodessrc\Shortcodes\OrderMetaShortcodes.php:19
filteryaymail_extra_shortcodessrc\Shortcodes\OrderMetaShortcodes.php:20
actionwp_enqueue_scriptssrc\Utils\YayMailViteApp.php:21
actionadmin_enqueue_scriptssrc\Utils\YayMailViteApp.php:22
actionadmin_headsrc\Utils\YayMailViteApp.php:49
actionwp_headsrc\Utils\YayMailViteApp.php:50
filterscript_loader_tagsrc\Utils\YayMailViteApp.php:81
filterwoocommerce_prepare_email_for_previewsrc\WooHandler.php:18
filterwoocommerce_mail_contentsrc\WooHandler.php:19
filterwoocommerce_get_settings_emailsrc\WooHandler.php:21
filterwoocommerce_get_settings_advancedsrc\WooHandler.php:22
filteryaymail_previewing_template_is_yaymail_templatesrc\WooHandler.php:64
actionwoocommerce_admin_field_yaymail_buttonsrc\WooHandler.php:133
actionadmin_enqueue_scriptssrc\YayCommerceMenu\LicensesMenu.php:26
actionadmin_enqueue_scriptssrc\YayCommerceMenu\OtherPluginsMenu.php:162
actionadmin_enqueue_scriptssrc\YayCommerceMenu\RegisterMenu.php:57
actionadmin_menusrc\YayCommerceMenu\RegisterMenu.php:58
actionadmin_menusrc\YayCommerceMenu\RegisterMenu.php:59
actionadmin_noticestemplates\fallbacks\fallback-exists.php:4
actionadmin_noticestemplates\fallbacks\fallback-minimum-php.php:5
actionadmin_noticestemplates\fallbacks\fallback-minimum-wp.php:7
actionadmin_inityaymail.php:75
actionadmin_noticesyaymail.php:113
actionbefore_woocommerce_inityaymail.php:115
actionplugins_loadedyaymail.php:141

Scheduled Events 1

check_license_cron
Maintenance & Trust

YayMail – WooCommerce Email Customizer Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 12, 2026
PHP min version5.4
Downloads1.3M

Community Trust

Rating96/100
Number of ratings288
Active installs50K
Alternatives

YayMail – WooCommerce Email Customizer Alternatives

Email customizer and designer for woocommerce

Email customizer and designer for woocommerce

email-customizer-and-designer-for-woocommerce

A
100

If you tired of default email templates of WooCommerce and you are looking for a way to customize WooCommerce emails. Email Customizer for WooCommerce &hellip;

100 No CVEs
EmailKit – Email Customizer for WooCommerce & WP

EmailKit – Email Customizer for WooCommerce & WP

emailkit

A
96

EmailKit is a powerful WordPress and WooCommerce email customizer tool, free for everyone! It allows users to customize and design templates that show &hellip;

70K 3 CVEs
Email Customizer for WooCommerce | Drag and Drop Email Templates Builder

Email Customizer for WooCommerce | Drag and Drop Email Templates Builder

email-customizer-for-woocommerce

A
98

WooCommerce Email Customizer plugin lets you customize transactional emails using a template builder, adding text, images & more to match your brand

10K 2 CVEs
ShopMagic – email automation

ShopMagic – email automation

shopmagic-for-woocommerce

A
96

Flexible email automation and workflows triggered by customer and site events.

10K 2 CVEs
Email Customizer for WooCommerce – Spark Editor

Email Customizer for WooCommerce – Spark Editor

email-editor-plus

A
100

Best WooCommerce email customizer plugin to create professional, branded email templates with intuitive drag-and-drop email editor.

200 No CVEs
Developer Profile

YayMail – WooCommerce Email Customizer Developer Profile

YayCommerce

16 plugins · 78K total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
133 days
View full developer profile
Detection Fingerprints

How We Detect YayMail – WooCommerce Email Customizer

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/yaymail/assets/css/admin.css/wp-content/plugins/yaymail/assets/css/vendors.css/wp-content/plugins/yaymail/assets/js/admin.js/wp-content/plugins/yaymail/assets/js/vendors.js/wp-content/plugins/yaymail/assets/scripts/wp-editor-plugins/advlist/plugin.min.js/wp-content/plugins/yaymail/assets/scripts/wp-editor-plugins/autolink/plugin.min.js/wp-content/plugins/yaymail/assets/scripts/wp-editor-plugins/searchreplace/plugin.min.js/wp-content/plugins/yaymail/assets/scripts/wp-editor-plugins/code/plugin.min.js+29 more
Script Paths
/wp-content/plugins/yaymail/assets/js/admin.js/wp-content/plugins/yaymail/assets/js/vendors.js/wp-content/plugins/yaymail/assets/scripts/vendors/vue.js/wp-content/plugins/yaymail/assets/scripts/vendors/vuex.js/wp-content/plugins/yaymail/assets/scripts/vendors/vuetify.js/wp-content/plugins/yaymail/assets/scripts/vendors/axios.js+2 more
Version Parameters
yaymail/assets/css/admin.css?ver=yaymail/assets/css/vendors.css?ver=yaymail/assets/js/admin.js?ver=yaymail/assets/js/vendors.js?ver=yaymail/assets/scripts/wp-editor-plugins/advlist/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/autolink/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/searchreplace/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/code/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/visualblocks/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/insertdatetime/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/lists/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/fullscreen/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/media/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/paste/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/contextmenu/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/directionality/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/nonbreaking/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/visualchars/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/template/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/charmap/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/hr/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/anchor/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/spellchecker/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/wordcount/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/textcolor/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/colorpicker/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/importcss/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/save/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/legacyoutput/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/pagebreak/plugin.min.js?ver=yaymail/assets/scripts/wp-editor-plugins/toc/plugin.min.js?ver=yaymail/assets/scripts/vendors/vue.js?ver=yaymail/assets/scripts/vendors/vuex.js?ver=yaymail/assets/scripts/vendors/vuetify.js?ver=yaymail/assets/scripts/vendors/axios.js?ver=yaymail/assets/scripts/vendors/lodash.js?ver=yaymail/assets/scripts/admin/main.js?ver=

HTML / DOM Fingerprints

CSS Classes
yaymail-adminyaymail-email-builderyaymail-settings-pageyaymail-builder-canvas
HTML Comments
<!-- YayMail: BEGIN --><!-- YayMail: END --><!-- YayMail Email Builder: BEGIN --><!-- YayMail Email Builder: END -->+4 more
Data Attributes
data-yaymail-editordata-yaymail-blockdata-yaymail-settingdata-yaymail-template-id
JS Globals
window.YayMailwindow.Vuewindow.Vuetifywindow.axioswindow.lodash
REST Endpoints
/wp-json/yaymail/v1/settings/wp-json/yaymail/v1/emails/wp-json/yaymail/v1/templates/wp-json/yaymail/v1/builder
FAQ

Frequently Asked Questions about YayMail – WooCommerce Email Customizer