Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Stored XSS realistically needs a low-privilege account to inject persistent content (PR:L) and a victim to view it (UI:R); scope change (S:C) as script escapes plugin context with limited C/I/A impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Stored XSS.This issue affects AcyMailing SMTP Newsletter: from n/a through <= 10.11.0.
AnalysisAI
Stored cross-site scripting in the AcyMailing SMTP Newsletter plugin for WordPress allows attackers to persist malicious JavaScript that executes in the browser of any user who views the affected page, up to and including version 10.11.0. The scope-change CVSS vector (S:C) indicates the injected script can break out of the plugin's context into the wider WordPress site, enabling session theft or admin-panel actions. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that an attacker be able to submit content that AcyMailing SMTP Newsletter persists and later renders - such as a newsletter/campaign field or subscriber attribute - and that a victim subsequently loads the page displaying that stored payload (UI:R). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are moderate rather than critical. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a newsletter field, subscriber record, or campaign element containing a crafted JavaScript payload that the plugin stores without sanitizing. When an administrator or other user later opens the page that renders this content, the script executes in their browser session, and because of the scope change it can steal authentication cookies or perform actions in the WordPress admin context. … |
| Remediation | Upgrade the AcyMailing SMTP Newsletter plugin to the latest version beyond 10.11.0 as published on the WordPress plugin repository and confirmed via the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/acymailing/vulnerability/wordpress-acymailing-smtp-newsletter-plugin-10-10-2-cross-site-scripting-xss-vulnerability?_s_id=cve); the advisory slug references a 10.10.2 fix, but because the CVE states impact through 10.11.0, apply the newest available release rather than relying on 10.10.2, and no exact patched version is independently confirmed from the provided data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: identify and document all WordPress installations running AcyMailing SMTP Newsletter plugin and their current versions; audit plugin configuration and user permissions with access to newsletter functionality. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Acymailing Smtp Newsletter
View allBlind SQL injection in the AcyMailing SMTP Newsletter plugin for WordPress (all versions up to and including 10.11.0) le
Broken access control in the AcyMailing SMTP Newsletter plugin for WordPress (versions up to and including 10.11.1) lets
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43385