EUVD-2026-23188CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionNVD
The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the wp_ajax_acymailing_router AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected cms_id pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators.
AnalysisAI
Privilege escalation in AcyMailing WordPress plugin (versions 9.11.0-10.8.1) allows authenticated Subscriber-level users to gain administrator access through a multi-stage attack chain. Attackers exploit a missing capability check in the wp_ajax_acymailing_router AJAX handler to access admin-only configuration controllers, enable autologin features, inject malicious cms_id values into newsletter subscribers, and authenticate as any WordPress user including administrators. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all WordPress instances running AcyMailing versions 9.11.0-10.8.1 via plugin audit tools and disable subscriber registration if not operationally critical. Within 7 days: Restrict AJAX access via Web Application Firewall rules to block wp_ajax_acymailing_router from unauthenticated sources, and disable the AcyMailing plugin entirely pending vendor patch release. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today