Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

YayCommerce — Vulnerabilities & Security Advisories 24

Browse all 24 CVE security advisories affecting YayCommerce. AI-powered Chinese analysis, POCs, and references for each vulnerability.

yaycommerce operates as an e-commerce platform designed to facilitate online retail transactions, serving merchants who require robust digital storefront capabilities. Security audits have identified twenty-four distinct Common Vulnerabilities and Exposures (CVEs) associated with the software, indicating a persistent history of security flaws. The most prevalent vulnerability classes include remote code execution (RCE), cross-site scripting (XSS), and privilege escalation, which collectively allow attackers to compromise system integrity or access unauthorized data. These issues often stem from insufficient input validation and inadequate access controls within the application’s architecture. While specific major public incidents are not widely documented in mainstream news, the high volume of CVEs suggests significant exposure risks for deployed instances. Organizations utilizing yaycommerce must prioritize regular patching and rigorous security testing to mitigate these known weaknesses and protect sensitive customer information from potential exploitation.

Top products by YayCommerce: YayMail – WooCommerce Email Customizer YaySMTP YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP Service SMTP for SendGrid – YaySMTP SMTP for Amazon SES – YaySMTP YayExtra YayCurrency YayMail YayExtra – WooCommerce Extra Product Options Brand SMTP for Sendinblue – YaySMTP SMTP for Amazon SES YayPricing
CVE IDTitleCVSSSeverityPublished
CVE-2026-39496 WordPress YayMail plugin <= 4.3.3 - SQL Injection vulnerability — YayMailCWE-89 7.6 High2026-04-08
CVE-2025-67994 WordPress YayCurrency plugin <= 3.3 - Arbitrary Content Deletion vulnerability — YayCurrencyCWE-862 7.5 High2026-02-20
CVE-2026-27327 WordPress YayMail – WooCommerce Email Customizer plugin <= 4.3.2 - Broken Access Control vulnerability — YayMailCWE-862 4.3 Medium2026-02-19
CVE-2026-1831 YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Plugin Installation and Activation — YayMail – WooCommerce Email CustomizerCWE-862 2.7 Low2026-02-18
CVE-2026-1943 YayMail <= 4.3.2 - Authenticated (Shop Manager+) Stored Cross-Site Scripting via Template Elements — YayMail – WooCommerce Email CustomizerCWE-79 4.4 Medium2026-02-18
CVE-2026-1938 YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) License Key Deletion via '/yaymail-license/v1/license/delete' Endpoint — YayMail – WooCommerce Email CustomizerCWE-862 5.3 Medium2026-02-18
CVE-2026-1937 YayMail <= 4.3.2 - Missing Authorization to Authenticated (Shop Manager+) Arbitrary Options Update via 'yaymail_import_state' AJAX Action — YayMail – WooCommerce Email CustomizerCWE-862 7.2 High2026-02-18
CVE-2025-60077 WordPress YayPricing plugin <= 3.5.3 - Broken Access Control vulnerability — YayPricingCWE-862 7.5 High2025-12-18
CVE-2025-60114 WordPress YayCurrency plugin <= 3.3.1 - Remote Code Execution (RCE) vulnerability — YayCurrencyCWE-94 6.6 Medium2025-09-26
CVE-2025-48161 WordPress YaySMTP plugin <= 1.3 - SQL Injection Vulnerability — YaySMTPCWE-89 7.6 High2025-07-16
CVE-2025-48299 WordPress YayExtra plugin <= 1.5.5 - SQL Injection Vulnerability — YayExtraCWE-89 7.6 High2025-07-16
CVE-2025-48301 WordPress SMTP for SendGrid – YaySMTP plugin <= 1.5 - SQL Injection Vulnerability — SMTP for SendGrid – YaySMTPCWE-89 7.6 High2025-07-16
CVE-2025-54043 WordPress SMTP for Amazon SES plugin <= 1.9 - SQL Injection Vulnerability — SMTP for Amazon SESCWE-89 7.6 High2025-07-16
CVE-2025-53256 WordPress YaySMTP plugin <= 2.6.6 - SQL Injection Vulnerability — YaySMTPCWE-89 7.6 High2025-06-27
CVE-2025-47587 WordPress YaySMTP plugin <= 2.6.4 - SQL Injection Vulnerability — YaySMTPCWE-89 7.6 High2025-05-07
CVE-2025-3434 SMTP for Amazon SES – YaySMTP <= 1.8 - Unauthenticated Stored Cross-Site Scripting via Email Logs — SMTP for Amazon SES – YaySMTPCWE-79 7.2 High2025-04-11
CVE-2025-31415 WordPress YayExtra <= 1.5.2 - Broken Access Control Vulnerability — YayExtraCWE-862 7.6 High2025-04-01
CVE-2025-0957 Vulnerability: SMTP for Amazon SES <= 1.8 - Unauthenticated Stored Cross-Site Scripting via Email Logs — SMTP for Amazon SES – YaySMTPCWE-79 7.2 High2025-02-22
CVE-2025-0953 SMTP for Sendinblue – YaySMTP <= 1.2 - Unauthenticated Stored Cross-Site Scripting via Email Logs — SMTP for Sendinblue – YaySMTPCWE-79 7.2 High2025-02-22
CVE-2025-0918 SMTP for SendGrid – YaySMTP <= 1.4 - Unauthenticated Stored Cross-Site Scripting via Email Logs — SMTP for SendGrid – YaySMTPCWE-79 7.2 High2025-02-22
CVE-2025-0916 YaySMTP 2.4.9 - 2.6.2 - Unauthenticated Stored Cross-Site Scripting — YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP ServiceCWE-79 7.2 High2025-02-19
CVE-2024-54348 WordPress Brandy theme <= 1.1.6 - Cross Site Scripting (XSS) vulnerability — BrandCWE-79 6.5 Medium2024-12-16
CVE-2024-7257 YayExtra – WooCommerce Extra Product Options <= 1.3.7 - Unauthenticated Arbitrary File Upload via handle_upload_file Function — YayExtra – WooCommerce Extra Product OptionsCWE-434 9.8 Critical2024-08-03
CVE-2023-3093 YaySMTP <= 2.4.5 - Unauthenticated Stored Cross-Site Scripting via Email — YaySMTP and Email Logs: Amazon SES, SendGrid, Outlook, Mailgun, Brevo, Google and Any SMTP ServiceCWE-79 7.2 High2023-07-12

This page lists every published CVE security advisory associated with YayCommerce. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.