Description
The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators.
Published: 2026-04-16
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

The plugin allows authenticated subscribers to bypass capability checks on the wp_ajax_acymailing_router AJAX handler, enabling access to admin controllers such as configuration management. This flaw permits authenticated attackers with Subscriber-level access or higher to enable the autologin feature, create a malicious subscriber record that references any existing WordPress user via the cms_id field, and then use the autologin URL to log in as that user. The attacker can therefore gain full administrative control, exfiltrate data, modify settings, or deploy further malware. The weakness is a missing authorization check, identified as CWE‑862.

Affected Systems

All installations of the AcyMailing WordPress plugin from version 9.11.0 through 10.8.1 are vulnerable. This includes any site using these plugin versions, regardless of hosting environment or customizations, as the error resides in the core router and controller files. The vendor providing the plugin is acyba, known as AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress. Users should verify the installed plugin version and apply an update if their site remains on any of these vulnerable releases.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score is unavailable, meaning a precise exploitation likelihood cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog, but the impact remains significant because an attacker with any Subscriber role can escape privileges without needing elevated credentials. The attack requires authenticated access, so it is confined to sites that allow unauthenticated users to log in at least as Subscribers. Once authenticated, the attacker can immediately exploit the missing check to trigger the sequence that builds a malicious subscriber and leverages the autologin link to impersonate higher‑privilege users.

Generated by OpenCVE AI on April 16, 2026 at 08:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AcyMailing to version 10.8.2 or later, which resolves the missing capability check. If no newer version is available, contact acyba for a patch or disable the affected router endpoint.
  • Restrict or remove Subscriber‑level users who do not require the capability to access administrative functions, and review role capabilities to ensure only trusted users have the abilities that allow them to use the wp_ajax_acymailing_router endpoint.
  • If the autologin feature is not required, disable it or restrict it so that an attacker cannot leverage an autologin link even if they have created a malicious subscriber record, thereby limiting the potential for credential compromise.

Generated by OpenCVE AI on April 16, 2026 at 08:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 16 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Acyba
Acyba acymailing – An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Acyba
Acyba acymailing – An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress
Wordpress
Wordpress wordpress

Thu, 16 Apr 2026 05:45:00 +0000

Type Values Removed Values Added
Description The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators.
Title AcyMailing 9.11.0 - 10.8.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Acyba Acymailing – An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-16T13:42:14.595Z

Reserved: 2026-03-05T18:21:42.550Z

Link: CVE-2026-3614

cve-icon Vulnrichment

Updated: 2026-04-16T13:29:01.238Z

cve-icon NVD

Status : Received

Published: 2026-04-16T06:16:18.167

Modified: 2026-04-16T06:16:18.167

Link: CVE-2026-3614

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:11:45Z

Weaknesses