CVE-2026-1937 is a critical authorization bypass vulnerability in the YayMail – WooCommerce Email Customizer plugin for WordPress, identified as CWE-862 (Missing Authorization). The vulnerability exists in the yaymail_import_state AJAX action, which lacks proper capability checks, allowing authenticated users with Shop Manager-level privileges or higher to perform unauthorized modifications to WordPress site options. Specifically, attackers can update arbitrary options, including changing the default user role for new registrations to administrator and enabling user registration. This effectively allows attackers to create new administrative accounts, leading to complete site compromise. The vulnerability affects all versions up to and including 4.3.2 of the plugin. The CVSS 3.1 score of 9.8 reflects the vulnerability's critical nature, with network attack vector, low attack complexity, no privileges required beyond Shop Manager, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the flaw's simplicity and impact make it a significant threat. The vulnerability was published on February 18, 2026, and no official patches have been linked yet. Organizations using WooCommerce with this plugin should consider immediate mitigations to prevent exploitation.

For European organizations, this vulnerability poses a severe risk as it enables privilege escalation from Shop Manager to administrator, potentially leading to full site compromise. This can result in unauthorized access to sensitive customer data, manipulation of e-commerce transactions, defacement, or complete loss of service availability. Given WooCommerce's popularity in Europe for online retail, many small to medium enterprises could be affected, especially those with multiple Shop Manager users or less stringent role management. The ability to enable user registration and assign administrative roles can facilitate persistent attacker presence and lateral movement within the WordPress environment. The impact extends to reputational damage, regulatory non-compliance (e.g., GDPR breaches due to data exposure), and financial losses from disrupted operations or fraud. The lack of public exploits currently provides a window for proactive defense, but the critical severity demands urgent attention.

1. Immediately audit and restrict Shop Manager permissions to the minimum necessary, ensuring only trusted users have this role. 2. Temporarily disable user registration on affected WordPress sites until patches are available. 3. Monitor for suspicious changes in WordPress options, especially default user roles and registration settings. 4. Implement Web Application Firewall (WAF) rules to detect and block unauthorized AJAX requests to yaymail_import_state endpoints. 5. Keep the YayMail plugin updated and apply any patches released by the vendor as soon as they become available. 6. Consider removing or replacing the plugin if it is not essential to reduce attack surface. 7. Conduct regular security audits and role-based access control reviews to prevent privilege escalation risks. 8. Use security plugins that can alert on changes to user roles or new administrator accounts. 9. Educate site administrators about the risks of elevated roles and the importance of strict access controls.