AcyMailing for WordPress: Privilege Escalation Risk for Attackers

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.8

AcyMailing for WordPress: Privilege Escalation Risk for Attackers

CVE-2026-3614

Summary

The AcyMailing plugin for WordPress is vulnerable to a security risk that allows attackers to gain unauthorized access to administrative features and potentially take control of the site. This risk affects all versions of the plugin from 9.11.0 to 10.8.1. To protect your site, update the AcyMailing plugin to a version that has this issue fixed.

Original title

Original description

The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators.

nvd CVSS3.1 8.8

Vulnerability type

CWE-862 Missing Authorization

Published: 16 Apr 2026 · Updated: 16 Apr 2026 · First seen: 16 Apr 2026