Cyber Resilience

CVE-2026-1937

High

Published: 18 February 2026

Published
18 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-1937 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 5.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-1937 is a privilege escalation vulnerability in the YayMail – WooCommerce Email Customizer plugin for WordPress, affecting all versions up to and including 4.3.2. The issue stems from a missing capability check on the `yaymail_import_state` AJAX action, classified under CWE-862 (Missing Authorization). This flaw allows unauthorized modification of WordPress site options, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H).

Authenticated attackers with Shop Manager-level access or higher can exploit this vulnerability remotely over the network with low complexity. By sending crafted AJAX requests, they can update arbitrary WordPress options, such as changing the default user role for new registrations to administrator and enabling user registration. This enables attackers to create accounts with full administrative privileges on the site.

Advisories and plugin references, including those from Wordfence, highlight the vulnerable code in `src/Models/MigrationModel.php` at line 143 in version 4.3.2 and the trunk. A specific changeset (3460087) in the plugin repository indicates a patch addressing the missing capability check, recommending site owners update to a fixed version beyond 4.3.2.

EU & UK References

Vulnerability details

The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized modification of data that can lead to privilege escalation due to a missing capability check on the `yaymail_import_state` AJAX action in all versions up to, and including,…

more

4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to update arbitrary options on the WordPress site. This can be leveraged to update the default role for registration to administrator and enable user registration for attackers to gain administrative user access to a vulnerable site.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
T1098.007 Additional Local or Domain Groups Persistence
An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.
Why these techniques?

Missing authorization on AJAX handler directly enables authenticated privilege escalation (T1068) via arbitrary option modification, which is abused to alter default roles and enable registration for admin account creation (T1136.001, T1098.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-12821Shared CWE-862
CVE-2025-26369Shared CWE-862
CVE-2025-26371Shared CWE-862
CVE-2025-5483Shared CWE-862
CVE-2026-2992Shared CWE-862
CVE-2023-53923Shared CWE-862
CVE-2025-26375Shared CWE-862
CVE-2025-8059Shared CWE-862
CVE-2026-8547Shared CWE-862
CVE-2026-22172Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authorization checks before permitting actions such as the unprotected yaymail_import_state AJAX handler.

prevent

Limits the capabilities granted to Shop Manager accounts so they cannot arbitrarily modify site options even if a check is missing.

prevent

Restricts which roles may perform configuration changes, blocking the unauthorized option updates that enable privilege escalation.

References