Executive Summary

[{'type': 'paragraph', 'content': 'The YayMail – WooCommerce Email Customizer plugin for WordPress has a vulnerability in versions up to and including 4.3.2 where the REST endpoint `/yaymail-license/v1/license/delete` lacks proper authorization checks.'}, {'type': 'paragraph', 'content': "This means that authenticated users with Shop Manager-level access or higher can delete the plugin's license key if they can obtain the REST API nonce, even though they should not have permission to do so."}, {'type': 'paragraph', 'content': 'The root cause is that the permission callback for this endpoint always returns true, allowing access without verifying user capabilities.'}] [2]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows attackers with Shop Manager-level access or above to delete the plugin's license key without proper authorization."}, {'type': 'paragraph', 'content': 'Deleting the license key could disable plugin features that require a valid license, potentially disrupting email customization functionality in WooCommerce.'}, {'type': 'paragraph', 'content': "Since the license key controls plugin activation, unauthorized deletion might lead to loss of support, updates, or functionality, impacting the site's operation."}] [2]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves unauthorized license key deletion via the REST API endpoint `/yaymail-license/v1/license/delete` in YayMail plugin versions up to 4.3.2. Detection can focus on monitoring HTTP POST requests to this specific REST endpoint.

To detect potential exploitation attempts on your system or network, you can monitor web server logs or use network traffic inspection tools to identify POST requests targeting the `/yaymail-license/v1/license/delete` endpoint.

• Use command-line tools like grep to search web server access logs for suspicious POST requests: `grep 'POST /wp-json/yaymail-license/v1/license/delete' /path/to/access.log`
• Use network packet capture tools such as tcpdump or Wireshark to filter HTTP POST requests to the vulnerable endpoint, for example: `tcpdump -i eth0 -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/wp-json/yaymail-license/v1/license/delete'`

Additionally, monitoring WordPress REST API logs or enabling detailed logging on the web server for REST API calls can help identify unauthorized license deletion attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update the YayMail plugin to version 4.3.3 or later, which includes security fixes that enforce stricter permission checks on the license management REST API endpoints.

The update changes the permission callback for the `/license/delete` endpoint to require the `manage_options` capability, restricting access to administrator-level users only, and enforces nonce verification properly.

• Immediately update the YayMail plugin to version 4.3.3 or newer.
• Restrict access to the WordPress REST API endpoints by limiting user roles and capabilities, ensuring only trusted administrators have permissions to manage plugins.
• If updating immediately is not possible, consider temporarily restricting access to the `/yaymail-license/v1/license/delete` endpoint via web server rules or firewall rules to block unauthorized POST requests.

Regularly monitor your WordPress user roles and REST API usage to detect and prevent unauthorized actions.

Useful 0 Not Useful 0