CVE-2026-39498

Vulnerability

YayMail, a WordPress plugin, up to version 4.3.3 contains a PHP Object Injection vulnerability. The bug arises from insecure deserialization of user-supplied input, enabling injection of arbitrary PHP objects if a suitable POP (Property Oriented Programming) chain exists in the application or its dependencies. The vulnerable code path is reachable without authentication, requiring only that the plugin is activated.

Exploitation

An attacker can exploit this vulnerability by sending a crafted request containing a malicious serialized PHP object to the affected plugin endpoints. No prior authentication or special privileges are needed. The attack is expected to be used in mass-exploit campaigns, targeting thousands of WordPress sites regardless of traffic size [1].

Impact

Successful exploitation can lead to various severe outcomes, including arbitrary code execution, SQL injection, path traversal, denial of service, and other attacks, depending on the available POP chain [1]. The attacker may gain elevated privileges within the WordPress environment and potentially achieve full site compromise.

Mitigation

The vendor has released version 4.3.4, which fixes the vulnerability [1]. Users are strongly advised to update immediately. For Patchstack subscribers, a mitigation rule is available to block attacks until the update is applied [1]. Automatic updates can be enabled for vulnerable plugins [1].