Skip to main content

Acymailing An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress

1 CVEs product

Monthly

CVE-2026-12170 MEDIUM This Month

Stored Cross-Site Scripting in the AcyMailing WordPress newsletter plugin (all versions up to and including 10.10.2) permits authenticated contributors to inject persistent arbitrary scripts via the unsanitized 'alignment' attribute across both the classic form builder and Gutenberg block editor code paths. Any user - including unauthenticated site visitors - who subsequently loads a page containing the injected element triggers script execution in their browser, enabling session hijacking, credential theft, or malicious redirects. No public exploit identified at time of analysis and no CISA KEV listing, though the CVSS scope change (S:C) correctly reflects the cross-user, cross-session impact characteristic of stored XSS.

WordPress XSS Acymailing An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress
NVD
CVSS 3.1
6.4
EPSS
0.3%
EPSS 0% CVSS 6.4
MEDIUM This Month

Stored Cross-Site Scripting in the AcyMailing WordPress newsletter plugin (all versions up to and including 10.10.2) permits authenticated contributors to inject persistent arbitrary scripts via the unsanitized 'alignment' attribute across both the classic form builder and Gutenberg block editor code paths. Any user - including unauthenticated site visitors - who subsequently loads a page containing the injected element triggers script execution in their browser, enabling session hijacking, credential theft, or malicious redirects. No public exploit identified at time of analysis and no CISA KEV listing, though the CVSS scope change (S:C) correctly reflects the cross-user, cross-session impact characteristic of stored XSS.

WordPress XSS Acymailing An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy