YayMail – WooCommerce Email Customizer <= 4.3.2 - Missing Authorization
Description
The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v4.3.3
Source Code
WordPress.org SVN# Research Plan: CVE-2026-27327 - YayMail Missing Authorization ## 1. Vulnerability Summary The **YayMail – WooCommerce Email Customizer** plugin (<= 4.3.2) fails to implement proper capability checks (authorization) on several of its AJAX handlers. Specifically, functions intended for administrato…
Show full research plan
Research Plan: CVE-2026-27327 - YayMail Missing Authorization
1. Vulnerability Summary
The YayMail – WooCommerce Email Customizer plugin (<= 4.3.2) fails to implement proper capability checks (authorization) on several of its AJAX handlers. Specifically, functions intended for administrators (like saving email templates, duplicating templates, or resetting configurations) are registered via wp_ajax_ hooks without verifying if the requesting user has the manage_woocommerce or manage_options capability. This allows any authenticated user with Contributor-level access or higher to modify or corrupt WooCommerce email templates.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Authentication: Contributor-level account required.
- Vulnerable Hook:
wp_ajax_yaymail_save_elementsorwp_ajax_yaymail_duplicate_template(inferred based on plugin logic). - Payload Parameter:
action,nonce, and specific data parameters liketemplateId,elements(JSON-encoded email structure).
3. Code Flow (Inferred)
- The plugin registers AJAX actions in a controller class (likely within
includes/orincludes/Admin/Ajax.php). - Example Registration:
add_action('wp_ajax_yaymail_save_elements', array($this, 'save_elements')); - The callback function
save_elements()is invoked. - The function checks for a nonce using
check_ajax_referer('yaymail-nonce', 'nonce'). - Vulnerability: The function proceeds to update post meta or database options without calling
current_user_can('manage_woocommerce'). - User-supplied template data is saved to the database, affecting how customers receive emails.
4. Nonce Acquisition Strategy
YayMail localizes its configuration and security tokens into a JavaScript object. Based on the entry point yaymail-main.tsx-523766ce.js, the data is likely localized for the yaymail-main handle.
- Identify Script Handle: Search PHP for
wp_localize_script. Look for the object name (e.g.,YayMailorYayMailSettings). - Setup: A Contributor user can access the WordPress dashboard (
/wp-admin/). While they may not see the YayMail menu, the scripts and nonces are often loaded on all admin pages or can be triggered by navigating to the plugin's admin page slug directly (/wp-admin/admin.php?page=yaymail-settings). - Extraction:
- Use
browser_navigateto/wp-admin/index.php. - Use
browser_evalto extract the nonce:// Likely candidate for the localized object window.YayMail?.nonce || window.YayMailSettings?.nonce
- Use
- Bypass Check: If the nonce is strictly limited to the YayMail admin page (which Contributors can't access), check if the
wp_ajax_handler verifies the nonce correctly or if the nonce is leaked on all admin pages via a globaladmin_enqueue_scriptshook.
5. Exploitation Strategy
We will target the email template modification functionality to demonstrate unauthorized data manipulation.
Step 1: Discover Template IDs
Use WP-CLI to find an existing YayMail template ID to target.
wp post list --post_type=yaymail_template --format=ids
Step 2: Extract Nonce
Navigate to the dashboard as a Contributor and extract the yaymail-nonce.
Step 3: Execute Unauthorized Modification
Send a POST request to admin-ajax.php to modify a template.
- URL:
http://localhost:8080/wp-admin/admin-ajax.php - Method:
POST - Content-Type:
application/x-www-form-urlencoded - Body:
action=yaymail_save_elements& nonce=[EXTRACTED_NONCE]& templateId=[TEMPLATE_ID]& elements=[{"type":"text","content":"EXPLOITED BY CONTRIBUTOR"}]
6. Test Data Setup
- Install Dependencies: Ensure WooCommerce and YayMail (<= 4.3.2) are installed and active.
- Create Template: Create at least one YayMail template for "New Order".
wp eval "YayMail\Helper\Helper::create_default_templates();"(or similar internal helper if known).
- Create User:
wp user create attacker attacker@example.com --role=contributor --user_pass=password
7. Expected Results
- Response: The server should return a JSON success message (e.g.,
{"success":true}). - Impact: The template data for the specified
templateIdis updated in thewp_postmetatable (look for_yaymail_elementsor similar meta keys).
8. Verification Steps
After the exploit, verify the database state using WP-CLI:
# Check if the post meta was updated
wp post meta get [TEMPLATE_ID] _yaymail_elements
If the output contains "EXPLOITED BY CONTRIBUTOR", authorization was successfully bypassed.
9. Alternative Approaches
If yaymail_save_elements is not the vulnerable action, search the PHP codebase for other unprotected actions:
grep -r "wp_ajax_yaymail_" .- For each found action, check the corresponding function for
current_user_can. - Other high-impact targets:
yaymail_duplicate_template: Create arbitrary copies of templates.yaymail_reset_template: Delete existing customizations.yaymail_save_settings: Modify global plugin settings (e.g., SMTP settings if integrated).
Summary
The YayMail plugin for WordPress is vulnerable to unauthorized access due to missing capability checks on several AJAX and REST API handlers. This allows authenticated attackers with Contributor-level roles or higher to perform administrative actions such as installing plugins, managing licenses, and modifying WooCommerce email templates.
Vulnerable Code
// src/Ajax.php line 231 if ( ! wp_verify_nonce( $nonce, 'yaymail_frontend_nonce' ) ) { return wp_send_json_error( [ 'mess' => __( 'Verify nonce failed', 'yaymail' ) ] ); } try { $is_installed = $this->process_plugin_installer( 'yaysmtp' ); --- // src/License/RestAPI.php line 142 public function permission_callback() { return true; }
Security Fix
@@ -231,6 +231,11 @@ if ( ! wp_verify_nonce( $nonce, 'yaymail_frontend_nonce' ) ) { return wp_send_json_error( [ 'mess' => __( 'Verify nonce failed', 'yaymail' ) ] ); } + + if ( ! current_user_can( 'install_plugins' ) && ! current_user_can( 'activate_plugins' ) ) { + return wp_send_json_error( [ 'mess' => __( 'You do not have permission to install plugins', 'yaymail' ) ] ); + } + try { $is_installed = $this->process_plugin_installer( 'yaysmtp' ); @@ -21,6 +21,10 @@ $this->init_hooks(); } + protected function permission_callback_admin_only() { + return current_user_can( 'activate_plugins' ); + } + protected function init_hooks() { register_rest_route( YAYMAIL_REST_NAMESPACE, @@ -40,7 +44,7 @@ [ 'methods' => \WP_REST_Server::EDITABLE, 'callback' => [ $this, 'exec_activate_addon' ], - 'permission_callback' => [ $this, 'permission_callback' ], + 'permission_callback' => [ $this, 'permission_callback_admin_only' ], ], ] ); @@ -51,7 +55,7 @@ [ 'methods' => \WP_REST_Server::EDITABLE, 'callback' => [ $this, 'exec_deactivate_addon' ], - 'permission_callback' => [ $this, 'permission_callback' ], + 'permission_callback' => [ $this, 'permission_callback_admin_only' ], ], ] ); @@ -140,6 +140,6 @@ } public function permission_callback() { - return true; + return current_user_can( 'manage_options' ); } }
Exploit Outline
An authenticated attacker with Contributor-level access can exploit this vulnerability by accessing the WordPress admin dashboard and extracting the required nonces (like 'yaymail_frontend_nonce' or REST nonces) from localized JavaScript objects. The attacker can then send POST requests to vulnerable AJAX endpoints (e.g., admin-ajax.php) or REST API routes (e.g., /wp-json/yaymail/v1/addons/activate) to perform unauthorized actions such as installing the YaySMTP plugin, activating addons, or potentially modifying WooCommerce email templates via internal template update methods that lack authorization checks.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.