{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39496", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:47:43.843Z", "datePublished": "2026-04-08T08:30:12.339Z", "dateUpdated": "2026-04-08T08:30:12.339Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "yaymail", "product": "YayMail", "vendor": "YayCommerce", "versions": [{"changes": [{"at": "4.3.4", "status": "unaffected"}], "lessThanOrEqual": "4.3.3", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:58.985Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YayMail yaymail allows Blind SQL Injection.<p>This issue affects YayMail: from n/a through <= 4.3.3.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YayMail yaymail allows Blind SQL Injection.This issue affects YayMail: from n/a through <= 4.3.3."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:12.339Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/yaymail/vulnerability/wordpress-yaymail-plugin-4-3-3-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress YayMail plugin <= 4.3.3 - SQL Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce YayMail yaymail allows Blind SQL Injection.This issue affects YayMail: from n/a through <= 4.3.3."}], "id": "CVE-2026-39496", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:23.953", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/yaymail/vulnerability/wordpress-yaymail-plugin-4-3-3-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-08T09:23:36.729857+00:00", "value": {"mitigation_remediation": ["Upgrade YayMail to a version newer than 4.3.3 if a patched release is available", "Limit the WordPress database account to SELECT only to prevent data modification", "Configure a web application firewall rule that screens for common SQL injection patterns targeting YayMail", "Regularly review database logs for anomalous queries indicating exploitation attempts"], "summary": {"action": "Immediate Patch", "impact": "Database Compromise"}, "threat_synthesis": {"affected_systems": "Affected users run any version of the YayCommerce YayMail plugin up to and including 4.3.3 on WordPress sites. The flaw is present in all releases from the earliest available version through 4.3.3.", "description_and_impact": "The WordPress YayMail plugin contains a blind SQL injection flaw that permits attackers to inject arbitrary SQL commands through unvalidated input. This vulnerability can lead to unauthorized data disclosure, alteration, or deletion within the site's database. The weakness aligns with CWE-89, representing improper neutralization of special elements used in an SQL command.", "risk_and_exploitability": "Due to the nature of blind SQL injection, an attacker could gain significant database access with well\u2011crafted payloads. The vulnerability is likely exploitable from the web interface, though no specific attack vector is documented; the typical injection points may involve email addresses or form fields. No CVSS score is published, but the absence of an EPSS score and lack of listing in CISA's KEV suggests that, while not currently a widely exploited target, the potential impact remains high. Implementing a patch or mitigations promptly is prudent."}}}}, "created": "2026-04-08T19:43:08.229804+00:00", "updated": "2026-04-08T19:43:08.229829+00:00", "vendors": []}