Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Network-reachable handler with low complexity and no UI, but missing-authorization abuse requires an authenticated low-privilege account (PR:L); impact is service disruption (A:H) plus limited data change (I:L), no confidentiality (C:N).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Lifecycle Timeline
2DescriptionCVE.org
Missing Authorization vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AcyMailing SMTP Newsletter: from n/a through <= 10.11.1.
AnalysisAI
Broken access control in the AcyMailing SMTP Newsletter plugin for WordPress (versions up to and including 10.11.1) lets an authenticated low-privileged user reach functionality that should be restricted, impacting integrity and, most notably, availability of the plugin's newsletter/mailing operations. The flaw is a missing authorization check (CWE-862) reported by Patchstack; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated WordPress account of at least low privilege on the target site (CVSS PR:L) - exploitation is not possible pre-authentication. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderate and partially incomplete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or obtains a low-privilege account (e.g., Subscriber) on a WordPress site running the vulnerable plugin, then sends a crafted request to an AcyMailing action handler that lacks a capability check. Because authorization is missing, the request succeeds and the attacker triggers a privileged mailing operation that disrupts the newsletter service (A:H) and alters some data (I:L). … |
| Remediation | Upgrade the AcyMailing SMTP Newsletter plugin to the vendor's fixed release beyond 10.11.1 as soon as it is confirmed available; no exact fix version is independently verified from the provided data, so consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/acymailing/vulnerability/wordpress-acymailing-smtp-newsletter-plugin-10-10-2-broken-access-control-vulnerability) and the vendor changelog for the precise patched build before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all WordPress user accounts with access to AcyMailing plugin functionality and document current privilege levels, particularly identifying any low-privileged accounts with unnecessary newsletter management access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Acymailing Smtp Newsletter
View allBlind SQL injection in the AcyMailing SMTP Newsletter plugin for WordPress (all versions up to and including 10.11.0) le
Stored cross-site scripting in the AcyMailing SMTP Newsletter plugin for WordPress allows attackers to persist malicious
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43382