How serious is CVE-2026-1938?

This vulnerability has a CVSS score of 5.3 out of 10, classified as MEDIUM severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2026-1938?

Yes, proof-of-concept exploit code for CVE-2026-1938 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2026-1938?

Check the official CVE details for a complete list of affected products and versions.

How do I fix CVE-2026-1938?

To remediate CVE-2026-1938, check for security patches from the vendor. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2026-1938

Medium

|5.3

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

An attacker with Shop Manager-level access or higher can delete the YayMail plugin's license key, potentially disrupting email functionalities for the WooCommerce store. To exploit this vulnerability, the attacker must first obtain a specific security token used by the plugin's API.

Technical Description

The YayMail – WooCommerce Email Customizer plugin for WordPress is vulnerable to unauthorized license key deletion due to a missing authorization check on the `/yaymail-license/v1/license/delete` REST endpoint in versions up to, and including, 4.3.2. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to delete the plugin's license key via the '/yaymail-license/v1/license/delete' endpoint granted they can obtain the REST API nonce.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

Confidentiality ImpactNone

Integrity ImpactLow

Availability ImpactNone

ScopeUnchanged

Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$724($500-$1K)

Vendor Response

Grade APatched in 0 days

Quick Information

Published

Feb 18, 2026

about 2 months ago

Last Modified

Feb 18, 2026

about 2 months ago