Atomic Edge analysis of CVE-2026-1943:
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the YayMail – WooCommerce Email Customizer WordPress plugin. The vulnerability affects versions up to and including 4.3.2, allowing attackers with Shop Manager or higher permissions to inject malicious scripts into email templates. The vulnerability only impacts multi-site installations and installations where the unfiltered_html capability is disabled. With a CVSS score of 4.4, this represents a moderate risk that could lead to session hijacking or administrative compromise.

Atomic Edge research identified the root cause as insufficient input sanitization and output escaping in template element processing. The vulnerability exists in the TemplateModel::update() method at yaymail/src/Models/TemplateModel.php line 294, where user-supplied template elements were stored directly without sanitization. The render_custom_row() method in yaymail/src/Shortcodes/OrderDetails/OrderDetailsRenderer.php lines 518-521 processes custom footer rows by executing do_shortcode() on user-controlled label and value fields without proper output escaping. The yaymail_kses_post() sanitization function was not applied to these fields before storage or output.

The exploitation method requires an authenticated attacker with Shop Manager or higher permissions. Attackers can craft malicious payloads through the plugin’s template editor interface, specifically targeting the custom footer rows functionality added in the diff. The attack vector involves sending a POST request to the plugin’s template update endpoint with malicious JavaScript in the elements[‘custom_footer_rows’][index][‘label’] or elements[‘custom_footer_rows’][index][‘value’] parameters. When the email template renders, the do_shortcode() function processes the payload, and the lack of wp_kses_post() escaping allows script execution in the victim’s browser context.

The patch addresses the vulnerability through multiple layers of defense. The TemplateModel::update() method now calls TemplateHelpers::sanitize_elements_recursive() at line 295 to sanitize all element data before storage. The new sanitize_elements_recursive() function at yaymail/src/Utils/TemplateHelpers.php lines 341-363 applies yaymail_kses_post() to rich_text and title fields. The render_custom_row() method at lines 518-521 now wraps output with wp_kses_post() instead of directly echoing unsanitized content. Additional permission checks were added to restrict plugin installation and addon management to users with install_plugins and activate_plugins capabilities.

Successful exploitation allows attackers to execute arbitrary JavaScript in the context of any user viewing WooCommerce emails generated with the malicious template. This can lead to session hijacking, administrative account takeover, data exfiltration, or redirection to malicious sites. Since the payload is stored in the database, the attack persists across sessions and affects all users who receive emails using the compromised template. The impact is particularly severe in WooCommerce environments where email notifications contain sensitive order information and are viewed by both customers and administrators.