Skip to main content

AcyMailing EUVDEUVD-2026-42521

| CVE-2026-12170 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 Wordfence GHSA-8j9m-p63v-r54h
6.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Stored XSS payload executes only when a victim visits the page, warranting UI:R; contributor authentication required sets PR:L; scope change applies as victim browser is the impacted component.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 08:43 vuln.today
CVE Published
Jul 09, 2026 - 06:52 nvd
MEDIUM 6.4

DescriptionCVE.org

The AcyMailing - An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'alignment' attribute in all versions up to, and including, 10.10.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AnalysisAI

Stored Cross-Site Scripting in the AcyMailing WordPress newsletter plugin (all versions up to and including 10.10.2) permits authenticated contributors to inject persistent arbitrary scripts via the unsanitized 'alignment' attribute across both the classic form builder and Gutenberg block editor code paths. Any user - including unauthenticated site visitors - who subsequently loads a page containing the injected element triggers script execution in their browser, enabling session hijacking, credential theft, or malicious redirects. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain or register contributor-level WordPress account
Delivery
Inject script payload via 'alignment' attribute in AcyMailing form or Gutenberg block
Exploit
Payload persists unsanitized in WordPress database
Execution
Victim loads page containing injected element
Persist
Script executes in victim browser context
Impact
Exfiltrate session token or execute malicious redirect

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess a valid WordPress account at contributor level or above - this is the definitive gating condition and the primary limit on real-world exposure. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 6.4 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) reflects a low-privilege network attack with scope change. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a contributor-level WordPress account on the target site and edits or creates an AcyMailing newsletter form or Gutenberg block, injecting a crafted JavaScript payload into the 'alignment' attribute field (e.g., a value containing a script tag or event handler). The payload is stored in the database without sanitization via the vulnerable code paths in form.php or Gutenberg.php. …
Remediation A fix has been committed to the WordPress Plugin Trac repository (changeset 3597432, viewable at https://plugins.trac.wordpress.org/changeset?reponame=&old=3597432%40acymailing&new=3597432%40acymailing); however, the specific patched release version number is not confirmed in the available input data - administrators should update to the latest available version via the WordPress Plugin Directory and cross-reference the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/4fd76fbc-22df-4071-a2ae-9c9ac9cdbc57 to confirm a patched release is available before updating. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42521 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy