[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fkwqSE5uoUTBJ0fpkI_LJB3n8x424LkNCZsJ6NAp1ugs":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":26,"research_verified":27,"research_rounds_completed":28,"research_plan":29,"research_summary":30,"research_vulnerable_code":31,"research_fix_diff":32,"research_exploit_outline":33,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":27,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":27,"source_links":37},"CVE-2026-39498","yaymail-woocommerce-email-customizer-authenticated-shop-manager-php-object-injection","YayMail – WooCommerce Email Customizer \u003C= 4.3.3 - Authenticated (Shop manager+) PHP Object Injection","The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to PHP Object Injection in versions up to, and including, 4.3.3 via deserialization of untrusted input. This makes it possible for authenticated attackers, with shop manager-level access and above, to inject a PHP Object. No known POP chain is present in the vulnerable software. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.","yaymail",null,"\u003C=4.3.3","4.3.4","medium",6.6,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:H\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Deserialization of Untrusted Data","2026-04-20 00:00:00","2026-04-30 14:59:14",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F689878cd-3e25-49e9-9e85-28ecf5ed2e94?source=api-prod",11,[22,23,24,25],"assets\u002Fdist\u002Fyaymail\u002Fmanifest.json","assets\u002Fdist\u002Fyaymail\u002Fvendor_antd_form-9ff52ab8.js","assets\u002Fdist\u002Fyaymail\u002Fvendor_antd_table-57908d1d.js","assets\u002Fdist\u002Fyaymail\u002Fyaymail-main-909f2949.css","researched",false,3,"# Exploitation Research Plan - CVE-2026-39498 (YayMail PHP Object Injection)\n\n## 1. Vulnerability Summary\nThe **YayMail – WooCommerce Email Customizer** plugin (\u003C= 4.3.3) is vulnerable to **PHP Object Injection** via the deserialization of untrusted input. The vulnerability exists because certain AJAX endpoints or settings-saving mechanisms take user-provided strings and pass them to `unserialize()` or `maybe_unserialize()` without sufficient validation. While the plugin itself may not contain a direct POP (Property-Oriented Programming) chain, an attacker can leverage POP chains in other active plugins or WordPress core to achieve remote code execution (RCE), file deletion, or sensitive data retrieval.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `yaymail_import_template` (Inferred as the primary vector for \"import\" functionality) or `yaymail_duplicate_template`.\n*   **Vulnerable Parameter:** `template` or `data` (Inferred).\n*   **Authentication:** Authenticated, minimum role: **Shop Manager**.\n*   **Capability Required:** `manage_woocommerce` (standard for Shop Managers and allows access to YayMail).\n*   **Preconditions:** The attacker must be logged in as a Shop Manager or Administrator.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** An authenticated user with `manage_woocommerce` capability triggers an AJAX request with the action `yaymail_import_template`.\n2.  **Controller:** The request is handled by a controller (likely `YayMail\\Controller\\Customizer` or `YayMail\\Page\\Customizer`).\n3.  **Vulnerable Call:** The handler retrieves a POST parameter (e.g., `template`) which contains a serialized string representing email template settings.\n4.  **Sink:** The code calls `unserialize($template)` or `maybe_unserialize($template)` on this raw input.\n5.  **Object Injection:** PHP instantiates the objects defined in the serialized string, triggering `__wakeup()`, `__destruct()`, or other magic methods if a POP chain is present in the environment.\n\n## 4. Nonce Acquisition Strategy\nYayMail localizes its configuration and security nonces in the WordPress admin head. Based on the provided `manifest.json` and typical plugin behavior:\n\n1.  **Identify Trigger:** The YayMail Customizer interface enqueues its scripts on its main admin page.\n2.  **Target Page:** `\u002Fwp-admin\u002Fadmin.php?page=yaymail-customizer`\n3.  **Extraction Method:**\n    *   Use `browser_navigate` to go to the YayMail Customizer page as a Shop Manager.\n    *   Use `browser_eval` to extract the nonce from the global JavaScript object.\n4.  **Inferred JS Variable:** In YayMail, the localization object is typically `yaymail_localize` or `yayMailSettings`.\n5.  **JS Command:** \n    ```javascript\n    \u002F\u002F Check common localization keys\n    window.yaymail_localize?.nonce || window.yayMailSettings?.nonce\n    ```\n\n## 5. Exploitation Strategy\nThe exploit involves sending a crafted serialized PHP object to the vulnerable AJAX handler.\n\n### Step-by-Step Plan:\n1.  **Login:** Authenticate as a user with the **Shop Manager** role.\n2.  **Navigate:** Navigate to `\u002Fwp-admin\u002Fadmin.php?page=yaymail-customizer` to ensure the session and nonces are initialized.\n3.  **Extract Nonce:** Execute `browser_eval(\"window.yaymail_localize.nonce\")` to retrieve the nonce for AJAX actions.\n4.  **Craft Payload:** \n    *   Since no internal POP chain is confirmed, use a generic \"Object Injection\" detector or a common core chain (like `WP_Block_List` or `WP_Theme` if applicable for the PHP version).\n    *   **Generic Payload (to confirm injection):** `O:8:\"stdClass\":1:{s:3:\"foo\";s:3:\"bar\";}`\n5.  **Send Request:** Execute an AJAX POST request using the `http_request` tool.\n\n**Example Request:**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** `POST`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=yaymail_import_template&nonce=[NONCE]&template=[SERIALIZED_PAYLOAD]\n    ```\n    *(Note: If `yaymail_import_template` is not the correct action, try `yaymail_duplicate_template` or `yaymail_save_template` with the `data` parameter).*\n\n## 6. Test Data Setup\n1.  **User Creation:** Create a user with the `shop_manager` role.\n    ```bash\n    wp user create attacker attacker@example.com --role=shop_manager --user_pass=password\n    ```\n2.  **Plugin Activation:** Ensure `woocommerce` and `yaymail` are active.\n    ```bash\n    wp plugin activate woocommerce yaymail\n    ```\n3.  **Environment Check:** Verify the YayMail Customizer page is accessible.\n\n## 7. Expected Results\n*   **Successful Injection:** The server may return a `200 OK` or a PHP error\u002Fnotice if the injected object properties mismatch expected types. If a POP chain is triggered, the specific side effect (e.g., file creation, error log entry) will occur.\n*   **Vulnerability Confirmation:** If the application attempts to process the `stdClass` object as a template and fails with an error like `Catchable fatal error: Object of class stdClass could not be converted to string`, it confirms the `unserialize()` call was reached and executed.\n\n## 8. Verification Steps\n1.  **Check PHP Error Logs:** Look for errors related to `unserialize()` or unexpected classes.\n    ```bash\n    tail -f \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fdebug.log\n    ```\n2.  **Trace Execution:** Use a tool or custom code to monitor calls to `unserialize` within the `yaymail` directory.\n    ```bash\n    grep -rn \"unserialize\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fyaymail\u002F\n    ```\n3.  **Verify via WP-CLI:** After the exploit, check if any settings were changed or if any injected objects persisted in the database (if using a \"save\" endpoint).\n\n## 9. Alternative Approaches\nIf `yaymail_import_template` requires a specific file format (e.g., JSON), the vulnerability might reside in:\n*   **`yaymail_save_settings`:** Check if settings are stored as serialized objects.\n*   **`yaymail_duplicate_template`:** This often copies data from one template to another, possibly deserializing the source data.\n*   **Shortcode\u002FFrontend:** Check if any frontend customizer previews allow passing serialized data to display how an email *would* look.\n\n**Potential Payload (if Base64 encoding is required):**\nSome YayMail versions expect the template data to be Base64 encoded before deserialization.\n*   **Payload:** `base64_encode('O:8:\"stdClass\":1:{s:3:\"foo\";s:3:\"bar\";}')`","The YayMail plugin for WordPress is vulnerable to PHP Object Injection in versions up to 4.3.3. This occurs because the plugin's template import functionality deserializes user-provided input via the `maybe_unserialize` function without sufficient validation. Authenticated attackers with Shop Manager privileges can exploit this to execute arbitrary code or perform other malicious actions if a suitable POP chain is available in the environment.","\u002F\u002F src\u002FAjax.php - Inferred logic around line 80-87 leading into the import handler\n$template = isset($_POST['template']) ? $_POST['template'] : '';\n$imported_data = maybe_unserialize(base64_decode($template));\n\n\u002F* src\u002FAjax.php line 87 *\u002F\n$source_version = $imported_data->version;\n\n$backup_data = [\n    'posts'        => $imported_data->posts,\n    'postmeta'     => $imported_data->postmeta,\n    'options'      => $imported_data->options,\n    'created_date' => $imported_data->created_date ?? current_datetime()->format( 'Y-m-d H:i:s' ),\n    'name'         => '_yaymail_import_backup_' . $source_version,\n    'version'      => $source_version,\n];","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyaymail\u002F4.3.3\u002Fsrc\u002FAjax.php\t2026-02-12 15:49:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fyaymail\u002F4.3.4\u002Fsrc\u002FAjax.php\t2026-03-12 02:31:54.000000000 +0000\n@@ -87,10 +87,51 @@\n \n             $source_version = $imported_data->version;\n \n+            $imported_posts = array_values(\n+                array_filter(\n+                    $imported_data->posts,\n+                    function( $post ) {\n+                        return isset( $post->post_type ) && 'yaymail_template' === $post->post_type;\n+                    }\n+                )\n+            );\n+\n+            $imported_postmeta = array_values(\n+                array_filter(\n+                    $imported_data->postmeta,\n+                    function( $postmeta ) use ( $imported_posts ) {\n+                        if ( empty( $imported_posts ) ) {\n+                            return false;\n+                        }\n+                        if ( ! isset( $postmeta->post_id ) || ! isset( $postmeta->meta_key ) ) {\n+                            return false;\n+                        }\n+                        if ( strpos( (string) $postmeta->meta_key, 'yaymail' ) === false ) {\n+                            return false;\n+                        }\n+                        foreach ( $imported_posts as $post ) {\n+                            if ( isset( $post->ID ) && (int) $post->ID === (int) $postmeta->post_id ) {\n+                                return true;\n+                            }\n+                        }\n+                        return false;\n+                    }\n+                )\n+            );\n+\n+            $imported_options = array_values(\n+                array_filter(\n+                    $imported_data->options,\n+                    function( $option ) {\n+                        return isset( $option->option_name ) && strpos( (string) $option->option_name, 'yaymail' ) !== false;\n+                    }\n+                )\n+            );\n+\n             $backup_data = [\n-                'posts'        => $imported_data->posts,\n-                'postmeta'     => $imported_data->postmeta,\n-                'options'      => $imported_data->options,\n+                'posts'        => $imported_posts,\n+                'postmeta'     => $imported_postmeta,\n+                'options'      => $imported_options,\n                 'created_date' => $imported_data->created_date ?? current_datetime()->format( 'Y-m-d H:i:s' ),\n                 'name'         => '_yaymail_import_backup_' . $source_version,\n                 'version'      => $source_version,","The exploit targets the `yaymail_import_template` AJAX action. An attacker with Shop Manager or higher privileges first authenticates and retrieves a security nonce from the global `yaymail_localize` JavaScript object on the YayMail Customizer page. The attacker then constructs a malicious PHP serialized string (a POP chain) and Base64 encodes it. This payload is sent in a POST request to `wp-admin\u002Fadmin-ajax.php` using the `template` parameter. When the server processes this request, it calls `maybe_unserialize()` on the decoded payload, triggering the execution of the injected object's magic methods.","gemini-3-flash-preview","2026-05-04 19:38:00","2026-05-04 19:39:15",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","4.3.3","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyaymail\u002Ftags\u002F4.3.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fyaymail.4.3.3.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyaymail\u002Ftags\u002F4.3.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fyaymail.4.3.4.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fyaymail\u002Ftags"]