Skip to main content

AcyMailing EUVDEUVD-2026-43384

| CVE-2026-57739 CRITICAL
SQL Injection (CWE-89)
2026-07-13 Patchstack
9.3
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
vuln.today AI
8.5 HIGH

Network-reachable low-complexity SQLi; PR:L chosen as most WordPress-plugin SQLi requires some authentication despite Patchstack's PR:N, blind read yields C:H/I:N with minor A:L.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 10:40 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
CRITICAL 9.3

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Blind SQL Injection.This issue affects AcyMailing SMTP Newsletter: from n/a through <= 10.11.0.

AnalysisAI

Blind SQL injection in the AcyMailing SMTP Newsletter plugin for WordPress (all versions up to and including 10.11.0) lets remote attackers inject arbitrary SQL through unsanitized input and extract database contents inference-by-inference. The CVSS 3.1 base score is 9.3, elevated by a changed scope and confidentiality impact against the underlying WordPress database. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify site running AcyMailing plugin
Delivery
Send crafted SQLi payload to endpoint
Exploit
Observe boolean/time-based responses
Execution
Enumerate database blindly
Impact
Exfiltrate credentials and secrets

Vulnerability AssessmentAI

Exploitation The vulnerability is a blind SQL injection reachable over the network against the AcyMailing SMTP Newsletter plugin (<= 10.11.0). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends crafted input to a vulnerable AcyMailing parameter and observes conditional differences in responses or timing to extract data character-by-character. Over repeated automated requests, they enumerate the WordPress database - including wp_users password hashes and secret keys - enabling account compromise. …
Remediation Update the AcyMailing SMTP Newsletter plugin to the fixed release as directed by the vendor; a released patched version is not independently confirmed from the input data, and the affected range (<= 10.11.0) conflicts with the '10.10.2' string in the advisory slug, so verify the correct target version at the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/acymailing/vulnerability/wordpress-acymailing-smtp-newsletter-plugin-10-10-2-sql-injection-vulnerability) before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, immediately disable or uninstall the AcyMailing SMTP Newsletter plugin from all affected WordPress instances; if the plugin is business-critical, implement Web Application Firewall (WAF) rules to block SQL injection patterns targeting the plugin's input endpoints. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43384 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy