YayCommerce 厂商漏洞列表 / CVE 中文分析 24

YayCommerce 厂商相关 24 条 CVE 漏洞，含 AI 中文分析、POC、CVSS 评分与受影响产品。

yaycommerce 是一款面向电商场景的开源内容管理系统，旨在提供灵活的数字化零售解决方案。截至最新统计，该项目已收录 24 条 CVE 漏洞，历史高危问题多集中于远程代码执行、跨站脚本及权限绕过等类型，反映出其在输入验证与访问控制方面曾存在显著缺陷。尽管部分漏洞已修复，但鉴于其处理用户生成内容及支付数据的特性，安全配置与依赖更新仍是运维重点，建议管理员密切关注官方补丁以防范潜在风险。

上位製品 YayCommerce: YayMail – WooCommerce Email Customizer YaySMTP YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service SMTP for SendGrid – YaySMTP SMTP for Amazon SES – YaySMTP YayExtra YayCurrency YayMail YayExtra – WooCommerce Extra Product Options Brand SMTP for Sendinblue – YaySMTP SMTP for Amazon SES YayPricing

CVEs 24

CVE ID	タイトル	CVSS	深刻度	公開日
CVE-2026-39496	WordPress YayMail plugin <= 4.3.3 - SQL Injection vulnerability — YayMailCWE-89	7.6	High	2026-04-08
CVE-2025-67994	WordPress YayCurrency plugin <= 3.3 - Arbitrary Content Deletion vulnerability — YayCurrencyCWE-862	7.5	High	2026-02-20
CVE-2026-27327	WordPress YayMail – WooCommerce Email Customizer plugin <= 4.3.2 - Broken Access Control vulnerability — YayMailCWE-862	4.3	Medium	2026-02-19
CVE-2026-1831	YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Plugin Installation and Activation — YayMail – WooCommerce Email CustomizerCWE-862	2.7	Low	2026-02-18
CVE-2026-1943	YayMail <= 4.3.2 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Template Elements — YayMail – WooCommerce Email CustomizerCWE-79	4.4	Medium	2026-02-18
CVE-2026-1938	YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) License Key Deletion via '/yaymail-license/v1/license/delete' Endpoint — YayMail – WooCommerce Email CustomizerCWE-862	5.3	Medium	2026-02-18
CVE-2026-1937	YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Options Update via 'yaymail_import_state' AJAX Action — YayMail – WooCommerce Email CustomizerCWE-862	7.2	High	2026-02-18
CVE-2025-60077	WordPress YayPricing plugin <= 3.5.3 - Broken Access Control vulnerability — YayPricingCWE-862	7.5	High	2025-12-18
CVE-2025-60114	WordPress YayCurrency plugin <= 3.3.1 - Remote Code Execution (RCE) vulnerability — YayCurrencyCWE-94	6.6	Medium	2025-09-26
CVE-2025-48161	WordPress YaySMTP plugin <= 1.3 - SQL Injection Vulnerability — YaySMTPCWE-89	7.6	High	2025-07-16
CVE-2025-48299	WordPress YayExtra plugin <= 1.5.5 - SQL Injection Vulnerability — YayExtraCWE-89	7.6	High	2025-07-16
CVE-2025-48301	WordPress SMTP for SendGrid – YaySMTP plugin <= 1.5 - SQL Injection Vulnerability — SMTP for SendGrid – YaySMTPCWE-89	7.6	High	2025-07-16
CVE-2025-54043	WordPress SMTP for Amazon SES plugin <= 1.9 - SQL Injection Vulnerability — SMTP for Amazon SESCWE-89	7.6	High	2025-07-16
CVE-2025-53256	WordPress YaySMTP plugin <= 2.6.6 - SQL Injection Vulnerability — YaySMTPCWE-89	7.6	High	2025-06-27
CVE-2025-47587	WordPress YaySMTP plugin <= 2.6.4 - SQL Injection Vulnerability — YaySMTPCWE-89	7.6	High	2025-05-07
CVE-2025-3434	SMTP for Amazon SES – YaySMTP <= 1.8 - Unauthenticated Stored Cross-Site Scripting via Email Logs — SMTP for Amazon SES – YaySMTPCWE-79	7.2	High	2025-04-11
CVE-2025-31415	WordPress YayExtra <= 1.5.2 - Broken Access Control Vulnerability — YayExtraCWE-862	7.6	High	2025-04-01
CVE-2025-0957	Vulnerability: SMTP for Amazon SES <= 1.8 - Unauthenticated Stored Cross-Site Scripting via Email Logs — SMTP for Amazon SES – YaySMTPCWE-79	7.2	High	2025-02-22
CVE-2025-0953	SMTP for Sendinblue – YaySMTP <= 1.2 - Unauthenticated Stored Cross-Site Scripting via Email Logs — SMTP for Sendinblue – YaySMTPCWE-79	7.2	High	2025-02-22
CVE-2025-0918	SMTP for SendGrid – YaySMTP <= 1.4 - Unauthenticated Stored Cross-Site Scripting via Email Logs — SMTP for SendGrid – YaySMTPCWE-79	7.2	High	2025-02-22
CVE-2025-0916	YaySMTP 2.4.9 - 2.6.2 - Unauthenticated Stored Cross-Site Scripting — YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP ServiceCWE-79	7.2	High	2025-02-19
CVE-2024-54348	WordPress Brandy theme <= 1.1.6 - Cross Site Scripting (XSS) vulnerability — BrandCWE-79	6.5	Medium	2024-12-16
CVE-2024-7257	YayExtra – WooCommerce Extra Product Options <= 1.3.7 - Unauthenticated Arbitrary File Upload via handle_upload_file Function — YayExtra – WooCommerce Extra Product OptionsCWE-434	9.8	Critical	2024-08-03
CVE-2023-3093	YaySMTP <= 2.4.5 - Unauthenticated Stored Cross-Site Scripting via Email — YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP ServiceCWE-79	7.2	High	2023-07-12

本页汇总了 YayCommerce 厂商截至目前公开的全部 24 条 CVE 漏洞。每条漏洞均包含 CVSS 评分、CWE 弱点分类、受影响产品与参考链接，并附带 AI 生成的中文分析以便快速判断风险。

目標達成 すべての支援者に感謝 — 100%達成しました！

YayCommerce 厂商漏洞列表 / CVE 中文分析 24

目標達成すべての支援者に感謝 — 100%達成しました！