Skip to main content

AcyMailing CVE-2026-57741

| EUVDEUVD-2026-43385 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
7.1
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
6.5 MEDIUM

Stored XSS realistically needs a low-privilege account to inject persistent content (PR:L) and a victim to view it (UI:R); scope change (S:C) as script escapes plugin context with limited C/I/A impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:39 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Stored XSS.This issue affects AcyMailing SMTP Newsletter: from n/a through <= 10.11.0.

AnalysisAI

Stored cross-site scripting in the AcyMailing SMTP Newsletter plugin for WordPress allows attackers to persist malicious JavaScript that executes in the browser of any user who views the affected page, up to and including version 10.11.0. The scope-change CVSS vector (S:C) indicates the injected script can break out of the plugin's context into the wider WordPress site, enabling session theft or admin-panel actions. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access newsletter/subscriber input field
Delivery
Inject stored XSS payload
Exploit
Payload persisted by plugin
Execution
Victim loads affected page
Persist
Script executes in victim context
Impact
Hijack session or admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires that an attacker be able to submit content that AcyMailing SMTP Newsletter persists and later renders - such as a newsletter/campaign field or subscriber attribute - and that a victim subsequently loads the page displaying that stored payload (UI:R). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are moderate rather than critical. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a newsletter field, subscriber record, or campaign element containing a crafted JavaScript payload that the plugin stores without sanitizing. When an administrator or other user later opens the page that renders this content, the script executes in their browser session, and because of the scope change it can steal authentication cookies or perform actions in the WordPress admin context. …
Remediation Upgrade the AcyMailing SMTP Newsletter plugin to the latest version beyond 10.11.0 as published on the WordPress plugin repository and confirmed via the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/acymailing/vulnerability/wordpress-acymailing-smtp-newsletter-plugin-10-10-2-cross-site-scripting-xss-vulnerability?_s_id=cve); the advisory slug references a 10.10.2 fix, but because the CVE states impact through 10.11.0, apply the newest available release rather than relying on 10.10.2, and no exact patched version is independently confirmed from the provided data. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: identify and document all WordPress installations running AcyMailing SMTP Newsletter plugin and their current versions; audit plugin configuration and user permissions with access to newsletter functionality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57741 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy