Threat Entry Updated 2026-04-22

CVE-2026-3614 - Acymailing Plugin

The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators.

PLUGIN Acymailing

CVE-2026-3614

HIGH CVSS 8.8 2026-04-16

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2024-09-27

CVE-2024-7384 - Acymailing Plugin

The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the acym_extractArchive function in all versions up to, and including, 9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Acymailing

CVE-2024-7384

HIGH CVSS 7.5 2024-08-22

Risk Score

Open Full Technical Breakdown