CVE-2026-1925
Received Received - Intake
Unauthorized Data Modification in EmailKit WooCommerce Plugin

Publication date: 2026-02-18

Last updated on: 2026-02-18

Assigner: Wordfence

Description
The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'update_template_data' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the title of any post on the site, including posts, pages, and custom post types.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-18
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-18
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1925
EUVD
EUVD-2026-8060
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordfence emailkit to 1.6.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress has a vulnerability due to a missing capability check on the 'update_template_data' function in all versions up to and including 1.6.2.

This flaw allows authenticated attackers with Subscriber-level access or higher to modify the title of any post on the site, including posts, pages, and custom post types, without proper authorization.

Impact Analysis

This vulnerability can allow attackers with low-level authenticated access to alter the titles of any posts on the WordPress site, including pages and custom post types.

Such unauthorized modifications can lead to misinformation, defacement, or manipulation of site content, potentially damaging the site's integrity and user trust.

Since the attacker does not need high-level privileges, this increases the risk of exploitation by less privileged users.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability involves unauthorized modification of post titles via the 'update_template_data' AJAX action in the EmailKit plugin for WordPress. Detection can focus on monitoring AJAX requests to the WordPress admin interface that invoke this action."}, {'type': 'paragraph', 'content': "Specifically, you can look for HTTP POST requests containing the parameter 'action=emailkit_update_template_data' targeting the WordPress admin AJAX endpoint (usually /wp-admin/admin-ajax.php). Such requests may include parameters like 'template_id' and 'title' to update email template titles."}, {'type': 'paragraph', 'content': 'Since the vulnerability allows authenticated users with Subscriber-level access or above to modify post titles without proper capability checks, monitoring for unexpected or unauthorized changes to post titles in the WordPress database can also help detect exploitation.'}, {'type': 'list_item', 'content': "Use web server logs or network monitoring tools to filter POST requests to /wp-admin/admin-ajax.php with 'action=emailkit_update_template_data'."}, {'type': 'list_item', 'content': 'On the WordPress server, run database queries to check for recent changes to post titles of email templates or other posts that should not be modified by low-privilege users.'}, {'type': 'list_item', 'content': "Example command to search web server logs (Apache) for suspicious AJAX update attempts: grep 'POST /wp-admin/admin-ajax.php' /var/log/apache2/access.log | grep 'action=emailkit_update_template_data'"}, {'type': 'list_item', 'content': "Example WP-CLI command to list recently modified posts: wp post list --post_type='any' --orderby=modified --order=desc --fields=ID,post_title,post_modified"}] [2, 4]

Mitigation Strategies

[{'type': 'paragraph', 'content': "To mitigate this vulnerability, the primary step is to update the EmailKit plugin to a version that includes proper capability checks on the 'update_template_data' function, such as version 1.6.3 or later."}, {'type': 'paragraph', 'content': 'Until an update is applied, restrict access to the WordPress admin area to trusted users only, as the vulnerability allows authenticated users with Subscriber-level access and above to modify post titles.'}, {'type': 'paragraph', 'content': 'Additionally, consider implementing monitoring and alerting for unexpected changes to post titles or email templates.'}, {'type': 'list_item', 'content': 'Update the EmailKit plugin to version 1.6.3 or later where capability checks are enforced.'}, {'type': 'list_item', 'content': 'Limit user roles and permissions to minimize the number of users with access to the WordPress admin area.'}, {'type': 'list_item', 'content': 'Monitor logs and database changes for unauthorized modifications to posts or email templates.'}, {'type': 'list_item', 'content': 'If immediate update is not possible, consider temporarily disabling the EmailKit plugin or restricting access to its AJAX endpoints via web application firewall rules.'}] [3, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1925. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart