Skip to main content

AcyMailing (WordPress) CVE-2026-57740

| EUVDEUVD-2026-43382 HIGH
Missing Authorization (CWE-862)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
vuln.today AI
7.1 HIGH

Network-reachable handler with low complexity and no UI, but missing-authorization abuse requires an authenticated low-privilege account (PR:L); impact is service disruption (A:H) plus limited data change (I:L), no confidentiality (C:N).

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:40 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Missing Authorization vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AcyMailing SMTP Newsletter: from n/a through <= 10.11.1.

AnalysisAI

Broken access control in the AcyMailing SMTP Newsletter plugin for WordPress (versions up to and including 10.11.1) lets an authenticated low-privileged user reach functionality that should be restricted, impacting integrity and, most notably, availability of the plugin's newsletter/mailing operations. The flaw is a missing authorization check (CWE-862) reported by Patchstack; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege WordPress account
Delivery
Send crafted request to AcyMailing handler
Exploit
Missing authorization check bypassed
Execution
Invoke privileged mailing operation
Impact
Disrupt newsletter service / alter data

Vulnerability AssessmentAI

Exploitation Requires an authenticated WordPress account of at least low privilege on the target site (CVSS PR:L) - exploitation is not possible pre-authentication. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderate and partially incomplete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a low-privilege account (e.g., Subscriber) on a WordPress site running the vulnerable plugin, then sends a crafted request to an AcyMailing action handler that lacks a capability check. Because authorization is missing, the request succeeds and the attacker triggers a privileged mailing operation that disrupts the newsletter service (A:H) and alters some data (I:L). …
Remediation Upgrade the AcyMailing SMTP Newsletter plugin to the vendor's fixed release beyond 10.11.1 as soon as it is confirmed available; no exact fix version is independently verified from the provided data, so consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/acymailing/vulnerability/wordpress-acymailing-smtp-newsletter-plugin-10-10-2-broken-access-control-vulnerability) and the vendor changelog for the precise patched build before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all WordPress user accounts with access to AcyMailing plugin functionality and document current privilege levels, particularly identifying any low-privileged accounts with unnecessary newsletter management access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57740 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy