Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Stored XSS payload executes only when a victim visits the page, warranting UI:R; contributor authentication required sets PR:L; scope change applies as victim browser is the impacted component.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The AcyMailing - An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alignment' attribute in all versions up to, and including, 10.10.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the AcyMailing WordPress newsletter plugin (all versions up to and including 10.10.2) permits authenticated contributors to inject persistent arbitrary scripts via the unsanitized 'alignment' attribute across both the classic form builder and Gutenberg block editor code paths. Any user - including unauthenticated site visitors - who subsequently loads a page containing the injected element triggers script execution in their browser, enabling session hijacking, credential theft, or malicious redirects. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to possess a valid WordPress account at contributor level or above - this is the definitive gating condition and the primary limit on real-world exposure. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 6.4 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects a low-privilege network attack with scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or compromises a contributor-level WordPress account on the target site and edits or creates an AcyMailing newsletter form or Gutenberg block, injecting a crafted JavaScript payload into the 'alignment' attribute field (e.g., a value containing a script tag or event handler). The payload is stored in the database without sanitization via the vulnerable code paths in form.php or Gutenberg.php. … |
| Remediation | A fix has been committed to the WordPress Plugin Trac repository (changeset 3597432, viewable at https://plugins.trac.wordpress.org/changeset?reponame=&old=3597432%40acymailing&new=3597432%40acymailing); however, the specific patched release version number is not confirmed in the available input data - administrators should update to the latest available version via the WordPress Plugin Directory and cross-reference the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/4fd76fbc-22df-4071-a2ae-9c9ac9cdbc57 to confirm a patched release is available before updating. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42521
GHSA-8j9m-p63v-r54h