CVE-2026-1938

YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) License Key Deletion via '/yaymail-license/v1/license/delete' Endpoint

mediumMissing Authorization

5.3

CVSS Score

5.3

CVSS Score

medium

Severity

4.3.3

Patched in

Time to patch

Description

The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized license key deletion due to a missing authorization check on the `/yaymail-license/v1/license/delete` REST endpoint in versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to delete the plugin's license key via the '/yaymail-license/v1/license/delete' endpoint granted they can obtain the REST API nonce.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

None

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=4.3.2

PublishedFebruary 17, 2026

Last updatedFebruary 18, 2026

Affected pluginyaymail

What Changed in the Fix

Changes introduced in v4.3.3

Loading patch diff...

Source Code

WordPress.org SVN

Vulnerable v4.3.2

Browse source Download .zip

Patched v4.3.3

Browse source Download .zip

Research Plan

Unverified

# Exploitation Research Plan: CVE-2026-1938 - YayMail License Deletion ## 1. Vulnerability Summary The **YayMail – WooCommerce Email Customizer** plugin (versions <= 4.3.2) fails to implement proper authorization checks on its custom REST API endpoint `/yaymail-license/v1/license/delete`. While the…

Show full research plan

Exploitation Research Plan: CVE-2026-1938 - YayMail License Deletion

1. Vulnerability Summary

The YayMail – WooCommerce Email Customizer plugin (versions <= 4.3.2) fails to implement proper authorization checks on its custom REST API endpoint /yaymail-license/v1/license/delete. While the endpoint is protected by a WordPress REST API nonce (ensuring the request is from a legitimate session), it does not verify that the authenticated user possesses administrative privileges before proceeding with the license key deletion. This allows users with the Shop Manager role (standard in WooCommerce) to delete the plugin's license, potentially disabling premium features and support.

2. Attack Vector Analysis

Endpoint: /wp-json/yaymail-license/v1/license/delete
Method: POST (inferred as the standard for action-based deletion in YayMail's REST structure) or DELETE.
Authentication: Required (at least Shop Manager level).
Required Parameter: _wpnonce (sent via X-WP-Nonce header or _wpnonce body parameter).
Vulnerability Type: Missing Authorization (Insecure Direct Object Reference / Broken Access Control).

3. Code Flow (Inferred)

The vulnerability resides in the REST API registration logic, likely within the plugin's license management component.

Registration: The plugin registers the route using register_rest_route('yaymail-license/v1', '/license/delete', ...).
Vulnerable Parameter: The permission_callback for this route is likely missing, set to __return_true, or only checks if the user is logged in (e.g., is_user_logged_in()) without checking for manage_options or specific license-management capabilities.
Execution: The controller function associated with the route calls the internal license deletion logic (likely delete_option('yaymail_license_key') or similar).

4. Nonce Acquisition Strategy

The endpoint requires a valid WordPress REST API nonce (wp_rest action). This nonce is tied to the user's session.

User Role: The attacker must be logged in as a Shop Manager.
Strategy:
- Log in to the WordPress admin dashboard as a Shop Manager.
- Navigate to any admin page (e.g., /wp-admin/index.php).
- Use the browser_eval tool to extract the global WordPress REST settings.
- JavaScript Variable: window.wpApiSettings.nonce
- Alternative Location: If wpApiSettings is missing, the nonce can often be found in the header of the page source: grep -oP 'var wpApiSettings = \{.*"nonce":"\K[a-f0-9]{10}'.

5. Exploitation Strategy

Step 1: Pre-exploitation Setup

Ensure WooCommerce and YayMail are active.
Create a user with the shop_manager role.
Set a dummy license key in the database to verify deletion:
wp option update yaymail_license_key "VULN-RESEARCH-PRO-KEY-1234"
wp option update yaymail_license_status "active"

Step 2: Acquire Nonce

Log in to the site as the Shop Manager using the browser_navigate and browser_type tools.
Execute: browser_eval("window.wpApiSettings.nonce") to retrieve the nonce string (e.g., a1b2c3d4e5).

Step 3: Trigger Deletion

Send the unprivileged request to the REST API.

Request:

POST /wp-json/yaymail-license/v1/license/delete HTTP/1.1
Host: [TARGET_HOST]
X-WP-Nonce: [ACQUIRED_NONCE]
Content-Type: application/json

{}

(Note: If POST fails, retry with the DELETE method).

Step 4: Verification

Verify if the license options were removed.

6. Test Data Setup

Plugin Version: YayMail 4.3.2.
Dependency: WooCommerce (required for Shop Manager role).
Attacker User:
- Username: shopmgr_attacker
- Password: password123
- Role: shop_manager
Initial State:
- yaymail_license_key option exists in wp_options.

7. Expected Results

Success Response: 200 OK or 204 No Content, likely with a JSON body indicating success (e.g., {"success": true}).
Unauthorized Response (If Patched): 403 Forbidden with an "rest_cannot_edit" or "rest_forbidden" error code.
Impact: The yaymail_license_key option is deleted from the database.

8. Verification Steps (Post-Exploit)

Run the following WP-CLI commands to confirm the license was successfully deleted by the unauthorized user:

# Check if the license key option still exists
wp option get yaymail_license_key

# Expected output: "Error: Could not get 'yaymail_license_key' option."

9. Alternative Approaches

If the REST endpoint /yaymail-license/v1/license/delete requires specific parameters not mentioned in the advisory:

Parameter Discovery: Use browser_navigate to the YayMail license settings page as an Admin and monitor network requests in the browser console when clicking "Delete License" or "Deactivate".
Method Variance: If POST returns 404 or 405, try DELETE.
Legacy AJAX: Check if there is a corresponding wp_ajax_ fallback:
grep -rn "wp_ajax_yaymail_license_delete" . (inferred action name).

Research Findings

Static analysis — not yet PoC-verified

Summary

The YayMail plugin for WordPress is vulnerable to unauthorized license key deletion due to a missing authorization check on the /yaymail-license/v1/license/delete REST API endpoint. This allows authenticated attackers with Shop Manager-level permissions to delete the plugin's license key, potentially disabling premium features.

Vulnerable Code

/* src/License/RestAPI.php */

    public function permission_callback() {
        return true;
    }

---

/* src/Controllers/AddonController.php */

        register_rest_route(
            YAYMAIL_REST_NAMESPACE,
            '/activate-addon',
            [
                [
                    'methods'             => \WP_REST_Server::EDITABLE,
                    'callback'            => [ $this, 'exec_activate_addon' ],
                    'permission_callback' => [ $this, 'permission_callback' ],
                ],
            ]
        );

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.2/src/Controllers/AddonController.php	2025-12-17 13:01:26.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.3/src/Controllers/AddonController.php	2026-02-12 15:49:00.000000000 +0000
@@ -21,6 +21,10 @@
         $this->init_hooks();
     }
 
+    protected function permission_callback_admin_only() {
+        return current_user_can( 'activate_plugins' );
+    }
+
     protected function init_hooks() {
         register_rest_route(
             YAYMAIL_REST_NAMESPACE,
@@ -40,7 +44,7 @@
                 [
                     'methods'             => \WP_REST_Server::EDITABLE,
                     'callback'            => [ $this, 'exec_activate_addon' ],
-                    'permission_callback' => [ $this, 'permission_callback' ],
+                    'permission_callback' => [ $this, 'permission_callback_admin_only' ],
                 ],
             ]
         );
@@ -51,7 +55,7 @@
                 [
                     'methods'             => \WP_REST_Server::EDITABLE,
                     'callback'            => [ $this, 'exec_deactivate_addon' ],
-                    'permission_callback' => [ $this, 'permission_callback' ],
+                    'permission_callback' => [ $this, 'permission_callback_admin_only' ],
                 ],
             ]
         );
--- /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.2/src/License/RestAPI.php	2025-12-17 13:01:26.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.3/src/License/RestAPI.php	2026-02-12 15:49:00.000000000 +0000
@@ -140,6 +140,6 @@
     }
 
     public function permission_callback() {
-        return true;
+        return current_user_can( 'manage_options' );
     }

Exploit Outline

To exploit this vulnerability, an attacker must have an account with at least Shop Manager privileges. The attacker first logs into the WordPress dashboard and retrieves a valid REST API nonce (found in the 'wpApiSettings' JavaScript object). Using this nonce, the attacker sends a POST or DELETE request to the '/wp-json/yaymail-license/v1/license/delete' endpoint. Because the 'permission_callback' for this route in versions <= 4.3.2 simply returns 'true', the request is authorized based on authentication alone, allowing the deletion of the 'yaymail_license_key' option from the database.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/6ce57b12-2241-416b-b466-aa06ca8c7551?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database