WP-Safety
CVE-2026-1831

YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Plugin Installation and Activation

lowMissing Authorization
2.7
CVSS Score
2.7
CVSS Score
low
Severity
4.3.3
Patched in
1d
Time to patch

Description

The YayMail - WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail_install_yaysmtp' AJAX action and `/yaymail/v1/addons/activate` REST endpoint in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to install and activate the YaySMTP plugin.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.3.2
PublishedFebruary 17, 2026
Last updatedFebruary 18, 2026
Affected pluginyaymail

What Changed in the Fix

Changes introduced in v4.3.3

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v4.3.2
Browse source Download .zip
Patched v4.3.3
Browse source Download .zip
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-1831 - YayMail Missing Authorization ## 1. Vulnerability Summary The **YayMail – WooCommerce Email Customizer** plugin (versions <= 4.3.2) fails to implement sufficient authorization checks on two specific entry points: 1. **AJAX Action:** `yaymail_install_ya…

Show full research plan

Exploitation Research Plan: CVE-2026-1831 - YayMail Missing Authorization

1. Vulnerability Summary

The YayMail – WooCommerce Email Customizer plugin (versions <= 4.3.2) fails to implement sufficient authorization checks on two specific entry points:

  1. AJAX Action: yaymail_install_yaysmtp
  2. REST API Endpoint: /yaymail/v1/addons/activate

The vulnerability allows authenticated users with Shop Manager level permissions (or any role possessing the manage_woocommerce or similar mid-level capabilities) to install and activate the YaySMTP plugin. In a standard WordPress environment, plugin installation and activation are restricted to users with the install_plugins and activate_plugins capabilities (typically only Administrators).

2. Attack Vector Analysis

  • Endpoints:
    • POST /wp-admin/admin-ajax.php?action=yaymail_install_yaysmtp
    • POST /wp-json/yaymail/v1/addons/activate
  • Required Role: Shop Manager (Authenticated).
  • Payload Parameters:
    • For AJAX: action=yaymail_install_yaysmtp (and likely a nonce).
    • For REST: The endpoint /yaymail/v1/addons/activate likely expects a JSON body or query parameter identifying the addon (e.g., {"slug": "yaysmtp"}).
  • Preconditions: The YaySMTP plugin must not already be active (or must be available for installation in the WP repo).

3. Code Flow (Inferred from Patch/Description)

  1. AJAX Entry Point: The plugin registers the action wp_ajax_yaymail_install_yaysmtp.
  2. Missing Check: The callback function for this action likely lacks a current_user_can( 'install_plugins' ) check. It may only check is_user_logged_in() or a lower-level capability like manage_woocommerce.
  3. REST Entry Point: The route /yaymail/v1/addons/activate is registered via register_rest_route.
  4. Permission Callback: The permission_callback for this route likely returns true for any user with Shop Manager access, or fails to verify the specific capability required for plugin manipulation.
  5. Sink: The backend logic uses WordPress core functions like plugins_api(), WP_Upgrader, or activate_plugin() to fetch and enable the YaySMTP plugin.

4. Nonce Acquisition Strategy

The AJAX handler likely verifies a nonce. Based on the file assets/dist/yaymail/yaymail-main.tsx-523766ce.js, the plugin is a React-based application. It likely localizes its settings and nonces into a global JavaScript object.

Extraction Steps:

  1. Create a Shop Manager user.
  2. Login as the Shop Manager and navigate to the YayMail interface (usually under WooCommerce > Email Customizer or a top-level YayMail menu).
  3. The plugin likely enqueues its settings via wp_localize_script. Common variable names for this plugin include yaymail_settings or yaymail_localize.
  4. Use browser_eval to find the nonce:
    • browser_eval("window.yaymail_settings?.nonce")
    • browser_eval("window.yaymail_localize?.nonce")
    • browser_eval("window.yaymail_settings?.ajax_nonce")

5. Exploitation Strategy

Phase 1: AJAX Installation

  1. Target URL: http://[target]/wp-admin/admin-ajax.php
  2. Method: POST
  3. Headers: Content-Type: application/x-www-form-urlencoded
  4. Body:
    action=yaymail_install_yaysmtp&nonce=[EXTRACTED_NONCE]

Phase 2: REST Activation

If the installation succeeds but activation is a separate step:

  1. Target URL: http://[target]/wp-json/yaymail/v1/addons/activate
  2. Method: POST
  3. Headers:
    • Content-Type: application/json
    • X-WP-Nonce: [REST_NONCE] (The REST nonce can be found via window.wpApiSettings.nonce or in the page source).
  4. Body (Inferred):
    {
  "slug": "yaysmtp"
}

6. Test Data Setup

  1. Install YayMail: Ensure version 4.3.2 or lower is installed.
  2. WooCommerce: Ensure WooCommerce is active (as YayMail is a WooCommerce customizer).
  3. Attacker User:
    wp user create attacker attacker@example.com --role=shop_manager --user_pass=password
  4. Verify Initial State:
    wp plugin is-installed yaysmtp || echo "Not installed"

7. Expected Results

  • AJAX Request: Should return a 200 OK with a JSON body indicating success (e.g., {"success": true, "data": "..."}).
  • REST Request: Should return a 200 OK or 201 Created indicating the plugin was activated.
  • System State: The yaysmtp directory should now exist in wp-content/plugins/ and be marked as active in the database.

8. Verification Steps

After performing the HTTP requests:

  1. Check Plugin Installation:
    wp plugin is-installed yaysmtp
  2. Check Plugin Status:
    wp plugin status yaysmtp
  3. Check if Active:
    wp plugin is-active yaysmtp

9. Alternative Approaches

  • Generic Addon Activation: If yaysmtp is not the only addon, check if the REST endpoint /yaymail/v1/addons/activate accepts other slugs.
  • Direct REST Exploration: If the AJAX action fails due to strict nonce checking, focus on the REST endpoint. REST endpoints often have weaker permission_callback implementations in plugins that bridge specialized roles like Shop Manager.
  • Search for other nonces: If the yaymail_settings object is not found, search the HTML source for any string containing _nonce or nonce within <script> tags to identify the correct localization variable.
Research Findings
Static analysis — not yet PoC-verified

Summary

The YayMail plugin for WordPress is vulnerable to unauthorized plugin installation and activation due to missing capability checks on the 'yaymail_install_yaysmtp' AJAX action and REST API endpoints. This allows authenticated attackers with Shop Manager-level permissions or higher to install and activate the YaySMTP plugin, a privilege normally reserved for Administrators.

Vulnerable Code

// src/Ajax.php line 230
public function yaymail_install_yaysmtp() {
    $nonce = isset( $_POST['nonce'] ) ? sanitize_text_field( $_POST['nonce'] ) : '';
    if ( ! wp_verify_nonce( $nonce, 'yaymail_frontend_nonce' ) ) {
        return wp_send_json_error( [ 'mess' => __( 'Verify nonce failed', 'yaymail' ) ] );
    }
    // Missing capability check before proceeding to installation
    try {
        $is_installed = $this->process_plugin_installer( 'yaysmtp' );

---

// src/Controllers/AddonController.php line 39
register_rest_route(
    YAYMAIL_REST_NAMESPACE,
    '/addons/activate',
    [
        [
            'methods'             => \WP_REST_Server::EDITABLE,
            'callback'            => [ $this, 'exec_activate_addon' ],
            'permission_callback' => [ $this, 'permission_callback' ], // Evaluates to true for Shop Managers
        ],
    ]
);

Security Fix

--- /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.2/src/Ajax.php	2025-12-17 13:01:26.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.3/src/Ajax.php	2026-02-12 15:49:00.000000000 +0000
@@ -231,6 +231,11 @@
         if ( ! wp_verify_nonce( $nonce, 'yaymail_frontend_nonce' ) ) {
             return wp_send_json_error( [ 'mess' => __( 'Verify nonce failed', 'yaymail' ) ] );
         }
+
+        if ( ! current_user_can( 'install_plugins' ) && ! current_user_can( 'activate_plugins' ) ) {
+            return wp_send_json_error( [ 'mess' => __( 'You do not have permission to install plugins', 'yaymail' ) ] );
+        }
+
         try {
             $is_installed = $this->process_plugin_installer( 'yaysmtp' );
 
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.2/src/Controllers/AddonController.php /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.3/src/Controllers/AddonController.php
--- /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.2/src/Controllers/AddonController.php	2025-12-17 13:01:26.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.3/src/Controllers/AddonController.php	2026-02-12 15:49:00.000000000 +0000
@@ -21,6 +21,10 @@
         $this->init_hooks();
     }
 
+    protected function permission_callback_admin_only() {
+        return current_user_can( 'activate_plugins' );
+    }
+
     protected function init_hooks() {
         register_rest_route(
             YAYMAIL_REST_NAMESPACE,
@@ -40,7 +44,7 @@
                 [
                     'methods'             => \WP_REST_Server::EDITABLE,
                     'callback'            => [ $this, 'exec_activate_addon' ],
-                    'permission_callback' => [ $this, 'permission_callback' ],
+                    'permission_callback' => [ $this, 'permission_callback_admin_only' ],
                 ],
             ]
         );
@@ -51,7 +55,7 @@
                 [
                     'methods'             => \WP_REST_Server::EDITABLE,
                     'callback'            => [ $this, 'exec_deactivate_addon' ],
-                    'permission_callback' => [ $this, 'permission_callback' ],
+                    'permission_callback' => [ $this, 'permission_callback_admin_only' ],
                 ],
             ]
         );

Exploit Outline

The exploit targets the AJAX action and REST API. An attacker authenticated with a Shop Manager role first extracts the 'yaymail_frontend_nonce' from the localized script variables in the WordPress admin dashboard (e.g., window.yaymail_settings.nonce). To install the plugin, the attacker sends a POST request to wp-admin/admin-ajax.php with the action 'yaymail_install_yaysmtp' and the valid nonce. To activate the plugin, the attacker sends a POST request to the REST endpoint /wp-json/yaymail/v1/addons/activate, providing the slug 'yaysmtp'. Because the plugin only checks for a valid session and nonce but fails to verify if the user has 'install_plugins' or 'activate_plugins' capabilities, the requests succeed.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/a568162a-5a2d-47ab-9dfe-2f2f5f324f0d?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database