Atomic Edge analysis of CVE-2026-1938:
The YayMail WooCommerce Email Customizer plugin for WordPress versions up to and including 4.3.2 contains a missing authorization vulnerability in its license management REST endpoint. This allows authenticated attackers with Shop Manager-level permissions or higher to delete the plugin’s license key. The vulnerability stems from an improper permission check in the license deletion endpoint, granting unauthorized access to a sensitive administrative function.

Atomic Edge research identifies the root cause in the file yaymail/src/License/RestAPI.php. The permission_callback() method at line 140 originally returned true, effectively disabling authorization checks for all REST endpoints registered by this controller. This method served as the permission callback for the /yaymail-license/v1/license/delete endpoint, which handles license key deletion operations. The vulnerable code path allowed any authenticated user, regardless of their actual capabilities, to pass the permission check and execute the license deletion callback.

Exploitation requires an authenticated attacker with at least Shop Manager privileges. The attacker must send a DELETE or POST request to the WordPress REST API endpoint /wp-json/yaymail-license/v1/license/delete. The request must include a valid WordPress REST API nonce, which Shop Manager users can obtain through normal plugin interface access. No additional parameters are required beyond the nonce, as the endpoint automatically deletes the stored license key upon successful invocation. Atomic Edge testing confirms that this action permanently removes the plugin’s license activation, potentially disrupting premium features and support access.

The patch modifies the permission_callback() method in yaymail/src/License/RestAPI.php at line 140. The fix changes the return value from true to current_user_can(‘manage_options’). This restricts endpoint access exclusively to users with the manage_options capability, which typically corresponds to Administrator roles in WordPress. The change ensures that only users with proper administrative privileges can delete license keys, while Shop Manager users and other non-administrator roles are correctly denied access. The patch maintains the same endpoint functionality but enforces proper WordPress capability checks.

Successful exploitation allows attackers with Shop Manager access to delete the YayMail plugin license key. This action can disable premium features, remove access to plugin updates and support, and potentially disrupt email template functionality. While the vulnerability does not directly enable privilege escalation or remote code execution, it represents an integrity violation that can impact business operations relying on customized WooCommerce email templates. The CVSS score of 5.3 reflects the moderate impact combined with the requirement for authenticated Shop Manager access.