Description
The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 10.8.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify privileged AcyMailing configuration, export subscriber secret keys, and chain these actions into administrator account takeover when a target administrator email address is known.
Published: 2026-05-20
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization check in the AcyMailing WordPress plugin up to version 10.8.2, a flaw identified as CWE‑862. An attacker who is already authenticated with at least subscriber-level privileges can exploit the acymailing_router endpoint to alter privileged plugin configuration, export subscriber secret keys, and then chain these actions to compromise an administrator account when the target administrator’s email address is known. The effect is the escalation of privileges to administrator level, allowing full control of the WordPress site and its data.

Affected Systems

This issue affects the AcyMailing Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress, versions 10.8.2 and earlier. All installations of these versions are vulnerable to the missing authorization flaw described above.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity with potential for complete compromise of site administration. No EPSS value is available, but the vulnerability can be exploited by any authenticated user with subscriber or higher role; therefore it remains a serious threat. The vulnerability is not listed in the CISA KEV catalog, yet the lack of authorization makes it highly exploitable in typical WordPress deployments.

Generated by OpenCVE AI on May 20, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the AcyMailing plugin to any version newer than 10.8.2 to receive the vendor‑released fix for the missing authorization check.
  • If an upgrade is not immediately possible, remove or restrict the acymailing_router functionality for subscriber‑level users, or disable the plugin entirely until a patch is applied.
  • Change the target administrator email address to one that is not publicly known or shared elsewhere, reducing the ability to target the account during a chain attack.

Generated by OpenCVE AI on May 20, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 20 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Acyba
Acyba acymailing – An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Acyba
Acyba acymailing – An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress
Wordpress
Wordpress wordpress

Wed, 20 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 10.8.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify privileged AcyMailing configuration, export subscriber secret keys, and chain these actions into administrator account takeover when a target administrator email address is known.
Title AcyMailing <= 10.8.2 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via 'acymailing_router'
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Acyba Acymailing – An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T12:19:49.898Z

Reserved: 2026-03-31T01:30:24.976Z

Link: CVE-2026-5200

cve-icon Vulnrichment

Updated: 2026-05-20T12:19:46.529Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T08:16:22.860

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-5200

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T09:00:11Z

Weaknesses