CVE-2026-1938 identifies a missing authorization vulnerability (CWE-862) in the YayMail – WooCommerce Email Customizer plugin for WordPress, affecting all versions up to and including 4.3.2. The vulnerability exists because the REST API endpoint /yaymail-license/v1/license/delete lacks proper authorization checks, allowing any authenticated user with Shop Manager-level privileges or higher to delete the plugin's license key. Exploitation requires the attacker to obtain a valid REST API nonce, which is a token used to validate requests in WordPress REST API calls. Shop Manager is a mid-level role in WooCommerce that can manage orders and products but is not an administrator, meaning that the attack surface includes users who may have limited privileges but still enough to cause damage. Deleting the license key can disrupt the plugin's functionality, potentially disabling email customization features that are critical for e-commerce operations. The vulnerability does not directly expose sensitive data or allow code execution but impacts the integrity of the plugin's licensing mechanism. The CVSS 3.1 score of 5.3 reflects a medium severity, with network attack vector, low attack complexity, no privileges required beyond Shop Manager, no user interaction, and limited impact on integrity only. No public exploits have been reported yet, and no patches are currently linked, indicating that users should monitor for updates and apply them promptly once released.

For European organizations, especially those operating e-commerce platforms using WooCommerce with the YayMail plugin, this vulnerability can lead to unauthorized deletion of the plugin license key by users with Shop Manager privileges. This can disrupt email customization workflows, potentially affecting customer communications such as order confirmations, shipping notifications, and promotional emails. While it does not directly compromise customer data confidentiality or system availability, the loss of email customization can degrade user experience and brand reputation. Additionally, unauthorized license deletion might force organizations to re-validate or re-purchase licenses, causing operational delays and financial impact. Attackers with Shop Manager access could exploit this vulnerability to sabotage email functions, which could be leveraged in broader social engineering or phishing campaigns. Given the widespread use of WooCommerce in European SMEs and larger retailers, the impact could be significant in sectors reliant on automated email communications for customer engagement and compliance.

To mitigate this vulnerability, organizations should first restrict Shop Manager role assignments to trusted personnel only, minimizing the number of users with potential exploit capability. Implement strict monitoring and logging of REST API calls, especially those targeting the /yaymail-license/v1/license/delete endpoint, to detect suspicious activity. Employ Web Application Firewalls (WAFs) with custom rules to block unauthorized REST API requests to this endpoint. Until an official patch is released, consider temporarily disabling or restricting access to the YayMail license management REST endpoints via server-level controls or WordPress hooks. Educate administrators and Shop Managers about the risks of sharing REST API nonces and ensure secure handling of authentication tokens. Regularly audit user roles and permissions to ensure least privilege principles are enforced. Finally, stay updated with vendor advisories and apply patches immediately upon release to remediate the vulnerability.