Acymailing An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress
Monthly
Stored Cross-Site Scripting in the AcyMailing WordPress newsletter plugin (all versions up to and including 10.10.2) permits authenticated contributors to inject persistent arbitrary scripts via the unsanitized 'alignment' attribute across both the classic form builder and Gutenberg block editor code paths. Any user - including unauthenticated site visitors - who subsequently loads a page containing the injected element triggers script execution in their browser, enabling session hijacking, credential theft, or malicious redirects. No public exploit identified at time of analysis and no CISA KEV listing, though the CVSS scope change (S:C) correctly reflects the cross-user, cross-session impact characteristic of stored XSS.
Stored Cross-Site Scripting in the AcyMailing WordPress newsletter plugin (all versions up to and including 10.10.2) permits authenticated contributors to inject persistent arbitrary scripts via the unsanitized 'alignment' attribute across both the classic form builder and Gutenberg block editor code paths. Any user - including unauthenticated site visitors - who subsequently loads a page containing the injected element triggers script execution in their browser, enabling session hijacking, credential theft, or malicious redirects. No public exploit identified at time of analysis and no CISA KEV listing, though the CVSS scope change (S:C) correctly reflects the cross-user, cross-session impact characteristic of stored XSS.