CVE-2026-3614

Summary

The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the wp_ajax_acymailing_router AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected cms_id pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators.

Affected Software

VendorProductVersion RangeStatus
acybaAcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress9.11.0 <= 10.8.1affected

Weaknesses

  • CWE-862: CWE-862 Missing Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References