CVE-2026-1937
Published: 18 February 2026
Summary
CVE-2026-1937 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-1937 is a privilege escalation vulnerability in the YayMail – WooCommerce Email Customizer plugin for WordPress, affecting all versions up to and including 4.3.2. The issue stems from a missing capability check on the `yaymail_import_state` AJAX action, classified under CWE-862 (Missing Authorization). This flaw allows unauthorized modification of WordPress site options, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H).
Authenticated attackers with Shop Manager-level access or higher can exploit this vulnerability remotely over the network with low complexity. By sending crafted AJAX requests, they can update arbitrary WordPress options, such as changing the default user role for new registrations to administrator and enabling user registration. This enables attackers to create accounts with full administrative privileges on the site.
Advisories and plugin references, including those from Wordfence, highlight the vulnerable code in `src/Models/MigrationModel.php` at line 143 in version 4.3.2 and the trunk. A specific changeset (3460087) in the plugin repository indicates a patch addressing the missing capability check, recommending site owners update to a fixed version beyond 4.3.2.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8081
Vulnerability details
The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `yaymail_import_state` AJAX action in all versions up to, and including,…
more
4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization on AJAX handler directly enables authenticated privilege escalation (T1068) via arbitrary option modification, which is abused to alter default roles and enable registration for admin account creation (T1136.001, T1098.007).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks before permitting actions such as the unprotected yaymail_import_state AJAX handler.
Limits the capabilities granted to Shop Manager accounts so they cannot arbitrarily modify site options even if a check is missing.
Restricts which roles may perform configuration changes, blocking the unauthorized option updates that enable privilege escalation.