Medium severity4.3NVD Advisory· Published Feb 18, 2026· Updated Apr 15, 2026
CVE-2026-1925
CVE-2026-1925
Description
The EmailKit – Email Customizer for WooCommerce & WP plugin for WordPress is vulnerable to unauthorized data modification due to a missing capability check on the 'update_template_data' function in all versions up to, and including, 1.6.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify the title of any post on the site, including posts, pages, and custom post types.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Patches
Vulnerability mechanics
References
4- plugins.trac.wordpress.org/browser/emailkit/tags/1.6.2/includes/Admin/EmailKitAjax.phpnvd
- plugins.trac.wordpress.org/browser/emailkit/trunk/includes/Admin/EmailKitAjax.phpnvd
- plugins.trac.wordpress.org/changeset/3456972/emailkit/trunknvd
- www.wordfence.com/threat-intel/vulnerabilities/id/f131ea1e-d652-4854-abea-6a307ca8118fnvd
News mentions
0No linked articles in our index yet.