2026-02-18 07:25:40
Wordfence
PUBLISHED
The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized license key deletion due to a missing authorization check on the `/yaymail-license/v1/license/delete` REST endpoint in versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to delete the plugins license key via the /yaymail-license/v1/license/delete endpoint granted they can obtain the REST API nonce.