CVE-2026-1943 is a stored Cross-Site Scripting (XSS) vulnerability identified in the YayMail – WooCommerce Email Customizer plugin for WordPress, affecting all versions up to and including 4.3.2. The root cause is improper neutralization of input during web page generation (CWE-79), where the plugin fails to adequately sanitize and escape user-supplied input in its settings interface. This flaw allows authenticated attackers with Shop Manager-level permissions or higher to inject arbitrary JavaScript code into pages generated by the plugin. The malicious scripts execute whenever a user accesses the compromised page, potentially leading to session hijacking, privilege escalation, or data theft. The vulnerability specifically affects multisite WordPress installations or those where the unfiltered_html capability is disabled, limiting the scope of impact. The attack vector requires network access (remote), high attack complexity due to required privileges, no user interaction, and affects confidentiality and integrity with no impact on availability. The vulnerability has a CVSS v3.1 base score of 4.4, categorized as medium severity. No public exploits have been reported yet, but the presence of this vulnerability in a widely used WooCommerce customization plugin poses a significant risk to e-commerce sites relying on multisite configurations. The lack of a patch at the time of reporting necessitates immediate mitigation steps to reduce exposure.

For European organizations, especially e-commerce businesses using WooCommerce with multisite WordPress installations, this vulnerability could lead to unauthorized script execution in the context of authenticated users. This may result in theft of sensitive customer data, session hijacking, or manipulation of email content sent to customers, undermining trust and compliance with data protection regulations such as GDPR. The impact on confidentiality and integrity is moderate given the requirement for Shop Manager-level access, which limits exploitation to insiders or compromised accounts. However, the potential for lateral movement and privilege escalation within the WordPress environment could amplify damage. Disruption of email customization workflows could also affect business operations and customer communications. Organizations with strict security policies disabling unfiltered_html are more exposed. The vulnerability does not affect availability directly but can indirectly harm business continuity through reputational damage and regulatory penalties.

1. Monitor for and apply official patches or updates from yaycommerce as soon as they are released to address this vulnerability. 2. Until a patch is available, restrict Shop Manager and higher privileges to trusted personnel only, minimizing the risk of malicious input injection. 3. Implement additional input validation and output escaping in any customizations or overrides related to the YayMail plugin settings. 4. For multisite WordPress installations, review and harden site configurations to limit the impact of compromised accounts. 5. Enable Web Application Firewalls (WAFs) with rules targeting XSS payloads to detect and block exploitation attempts. 6. Conduct regular audits of user permissions and plugin configurations to ensure no unauthorized changes occur. 7. Educate administrators about the risks of stored XSS and the importance of secure plugin management. 8. Consider disabling or limiting the use of the YayMail plugin in multisite environments if immediate patching is not feasible. 9. Monitor logs for unusual activity related to plugin settings changes or script injections. 10. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks.