CVE-2026-27327

YayMail – WooCommerce Email Customizer <= 4.3.2 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
4.3.3
Patched in
119d
Time to patch

Description

The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.3.2
PublishedJanuary 6, 2026
Last updatedMay 4, 2026
Affected pluginyaymail

What Changed in the Fix

Changes introduced in v4.3.3

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Research Plan: CVE-2026-27327 - YayMail Missing Authorization ## 1. Vulnerability Summary The **YayMail – WooCommerce Email Customizer** plugin (<= 4.3.2) fails to implement proper capability checks (authorization) on several of its AJAX handlers. Specifically, functions intended for administrato…

Show full research plan

Research Plan: CVE-2026-27327 - YayMail Missing Authorization

1. Vulnerability Summary

The YayMail – WooCommerce Email Customizer plugin (<= 4.3.2) fails to implement proper capability checks (authorization) on several of its AJAX handlers. Specifically, functions intended for administrators (like saving email templates, duplicating templates, or resetting configurations) are registered via wp_ajax_ hooks without verifying if the requesting user has the manage_woocommerce or manage_options capability. This allows any authenticated user with Contributor-level access or higher to modify or corrupt WooCommerce email templates.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Authentication: Contributor-level account required.
  • Vulnerable Hook: wp_ajax_yaymail_save_elements or wp_ajax_yaymail_duplicate_template (inferred based on plugin logic).
  • Payload Parameter: action, nonce, and specific data parameters like templateId, elements (JSON-encoded email structure).

3. Code Flow (Inferred)

  1. The plugin registers AJAX actions in a controller class (likely within includes/ or includes/Admin/Ajax.php).
  2. Example Registration: add_action('wp_ajax_yaymail_save_elements', array($this, 'save_elements'));
  3. The callback function save_elements() is invoked.
  4. The function checks for a nonce using check_ajax_referer('yaymail-nonce', 'nonce').
  5. Vulnerability: The function proceeds to update post meta or database options without calling current_user_can('manage_woocommerce').
  6. User-supplied template data is saved to the database, affecting how customers receive emails.

4. Nonce Acquisition Strategy

YayMail localizes its configuration and security tokens into a JavaScript object. Based on the entry point yaymail-main.tsx-523766ce.js, the data is likely localized for the yaymail-main handle.

  1. Identify Script Handle: Search PHP for wp_localize_script. Look for the object name (e.g., YayMail or YayMailSettings).
  2. Setup: A Contributor user can access the WordPress dashboard (/wp-admin/). While they may not see the YayMail menu, the scripts and nonces are often loaded on all admin pages or can be triggered by navigating to the plugin's admin page slug directly (/wp-admin/admin.php?page=yaymail-settings).
  3. Extraction:
    • Use browser_navigate to /wp-admin/index.php.
    • Use browser_eval to extract the nonce:
      // Likely candidate for the localized object
      window.YayMail?.nonce || window.YayMailSettings?.nonce
      
  4. Bypass Check: If the nonce is strictly limited to the YayMail admin page (which Contributors can't access), check if the wp_ajax_ handler verifies the nonce correctly or if the nonce is leaked on all admin pages via a global admin_enqueue_scripts hook.

5. Exploitation Strategy

We will target the email template modification functionality to demonstrate unauthorized data manipulation.

Step 1: Discover Template IDs

Use WP-CLI to find an existing YayMail template ID to target.

wp post list --post_type=yaymail_template --format=ids

Step 2: Extract Nonce

Navigate to the dashboard as a Contributor and extract the yaymail-nonce.

Step 3: Execute Unauthorized Modification

Send a POST request to admin-ajax.php to modify a template.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Content-Type: application/x-www-form-urlencoded
  • Body:
    action=yaymail_save_elements&
    nonce=[EXTRACTED_NONCE]&
    templateId=[TEMPLATE_ID]&
    elements=[{"type":"text","content":"EXPLOITED BY CONTRIBUTOR"}]
    

6. Test Data Setup

  1. Install Dependencies: Ensure WooCommerce and YayMail (<= 4.3.2) are installed and active.
  2. Create Template: Create at least one YayMail template for "New Order".
    • wp eval "YayMail\Helper\Helper::create_default_templates();" (or similar internal helper if known).
  3. Create User:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password
    

7. Expected Results

  • Response: The server should return a JSON success message (e.g., {"success":true}).
  • Impact: The template data for the specified templateId is updated in the wp_postmeta table (look for _yaymail_elements or similar meta keys).

8. Verification Steps

After the exploit, verify the database state using WP-CLI:

# Check if the post meta was updated
wp post meta get [TEMPLATE_ID] _yaymail_elements

If the output contains "EXPLOITED BY CONTRIBUTOR", authorization was successfully bypassed.

9. Alternative Approaches

If yaymail_save_elements is not the vulnerable action, search the PHP codebase for other unprotected actions:

  1. grep -r "wp_ajax_yaymail_" .
  2. For each found action, check the corresponding function for current_user_can.
  3. Other high-impact targets:
    • yaymail_duplicate_template: Create arbitrary copies of templates.
    • yaymail_reset_template: Delete existing customizations.
    • yaymail_save_settings: Modify global plugin settings (e.g., SMTP settings if integrated).
Research Findings
Static analysis — not yet PoC-verified

Summary

The YayMail plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several AJAX and REST API handlers. This allows authenticated attackers with Contributor-level roles or higher to perform administrative actions such as installing plugins, managing licenses, and modifying WooCommerce email templates.

Vulnerable Code

// src/Ajax.php line 231
        if ( ! wp_verify_nonce( $nonce, 'yaymail_frontend_nonce' ) ) {
            return wp_send_json_error( [ 'mess' => __( 'Verify nonce failed', 'yaymail' ) ] );
        }
        try {
            $is_installed = $this->process_plugin_installer( 'yaysmtp' );

---

// src/License/RestAPI.php line 142
    public function permission_callback() {
        return true;
    }

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.2/src/Ajax.php /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.3/src/Ajax.php
--- /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.2/src/Ajax.php	2025-12-17 13:01:26.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.3/src/Ajax.php	2026-02-12 15:49:00.000000000 +0000
@@ -231,6 +231,11 @@
         if ( ! wp_verify_nonce( $nonce, 'yaymail_frontend_nonce' ) ) {
             return wp_send_json_error( [ 'mess' => __( 'Verify nonce failed', 'yaymail' ) ] );
         }
+
+        if ( ! current_user_can( 'install_plugins' ) && ! current_user_can( 'activate_plugins' ) ) {
+            return wp_send_json_error( [ 'mess' => __( 'You do not have permission to install plugins', 'yaymail' ) ] );
+        }
+
         try {
             $is_installed = $this->process_plugin_installer( 'yaysmtp' );
 
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.2/src/Controllers/AddonController.php /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.3/src/Controllers/AddonController.php
--- /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.2/src/Controllers/AddonController.php	2025-12-17 13:01:26.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.3/src/Controllers/AddonController.php	2026-02-12 15:49:00.000000000 +0000
@@ -21,6 +21,10 @@
         $this->init_hooks();
     }
 
+    protected function permission_callback_admin_only() {
+        return current_user_can( 'activate_plugins' );
+    }
+
     protected function init_hooks() {
         register_rest_route(
             YAYMAIL_REST_NAMESPACE,
@@ -40,7 +44,7 @@
                 [
                     'methods'             => \WP_REST_Server::EDITABLE,
                     'callback'            => [ $this, 'exec_activate_addon' ],
-                    'permission_callback' => [ $this, 'permission_callback' ],
+                    'permission_callback' => [ $this, 'permission_callback_admin_only' ],
                 ],
             ]
         );
@@ -51,7 +55,7 @@
                 [
                     'methods'             => \WP_REST_Server::EDITABLE,
                     'callback'            => [ $this, 'exec_deactivate_addon' ],
-                    'permission_callback' => [ $this, 'permission_callback' ],
+                    'permission_callback' => [ $this, 'permission_callback_admin_only' ],
                 ],
             ]
         );
diff -ru /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.2/src/License/RestAPI.php /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.3/src/License/RestAPI.php
--- /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.2/src/License/RestAPI.php	2025-12-17 13:01:26.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/yaymail/4.3.3/src/License/RestAPI.php	2026-02-12 15:49:00.000000000 +0000
@@ -140,6 +140,6 @@
     }
 
     public function permission_callback() {
-        return true;
+        return current_user_can( 'manage_options' );
     }
 }

Exploit Outline

An authenticated attacker with Contributor-level access can exploit this vulnerability by accessing the WordPress admin dashboard and extracting the required nonces (like 'yaymail_frontend_nonce' or REST nonces) from localized JavaScript objects. The attacker can then send POST requests to vulnerable AJAX endpoints (e.g., admin-ajax.php) or REST API routes (e.g., /wp-json/yaymail/v1/addons/activate) to perform unauthorized actions such as installing the YaySMTP plugin, activating addons, or potentially modifying WooCommerce email templates via internal template update methods that lack authorization checks.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.