CVE-2026-1925

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-1925
The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'update_template_data' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the title of any post on the site, including posts, pages, and custom post types.

4.3 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://plugins.trac.wordpress.org/browser/emailkit/tags/1.6.2/includes/Admin/EmailKitAjax.php#L150
https://plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/EmailKitAjax.php#L150
https://plugins.trac.wordpress.org/changeset/3456972/emailkit/trunk?contextall=1&old=3419280&old_path=%2Femailkit%2Ftrunk#file1
https://www.wordfence.com/threat-intel/vulnerabilities/id/f131ea1e-d652-4854-abea-6a307ca8118f?source=cve
Configurations

No configuration.

History

18 Feb 2026, 17:51

Type Values Removed Values Added
Summary
  • (es) El plugin EmailKit – Email Customizer para WooCommerce & WP para WordPress es vulnerable a la modificación no autorizada de datos debido a una falta de verificación de capacidad en la función update_template_data en todas las versiones hasta la 1.6.2, inclusive. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, modifiquen el título de cualquier entrada en el sitio, incluyendo entradas, páginas y tipos de entrada personalizados.

18 Feb 2026, 05:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-18 05:16

Updated : 2026-02-18 17:51

NVD link : CVE-2026-1925

Mitre link : CVE-2026-1925

CVE.ORG link : CVE-2026-1925

JSON object : View

Products Affected

No product.

CWE
CWE-862

Missing Authorization