Skip to main content

Acymailing Smtp Newsletter

3 CVEs product

Monthly

CVE-2026-57741 HIGH This Week

Stored cross-site scripting in the AcyMailing SMTP Newsletter plugin for WordPress allows attackers to persist malicious JavaScript that executes in the browser of any user who views the affected page, up to and including version 10.11.0. The scope-change CVSS vector (S:C) indicates the injected script can break out of the plugin's context into the wider WordPress site, enabling session theft or admin-panel actions. This flaw was reported by Patchstack and currently has no public exploit identified at time of analysis.

XSS Acymailing Smtp Newsletter
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2026-57739 CRITICAL Act Now

Blind SQL injection in the AcyMailing SMTP Newsletter plugin for WordPress (all versions up to and including 10.11.0) lets remote attackers inject arbitrary SQL through unsanitized input and extract database contents inference-by-inference. The CVSS 3.1 base score is 9.3, elevated by a changed scope and confidentiality impact against the underlying WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the finding originates from Patchstack.

SQLi Acymailing Smtp Newsletter
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-57740 HIGH This Week

Broken access control in the AcyMailing SMTP Newsletter plugin for WordPress (versions up to and including 10.11.1) lets an authenticated low-privileged user reach functionality that should be restricted, impacting integrity and, most notably, availability of the plugin's newsletter/mailing operations. The flaw is a missing authorization check (CWE-862) reported by Patchstack; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note an inconsistency in the source data: the CVE description states affected 'through <= 10.11.1' while the linked Patchstack advisory slug references 10.10.2 - the exact patched version is not confirmed from the input.

Authentication Bypass Acymailing Smtp Newsletter
NVD VulDB
CVSS 3.1
7.1
EPSS
0.3%
EPSS 0% CVSS 7.1
HIGH This Week

Stored cross-site scripting in the AcyMailing SMTP Newsletter plugin for WordPress allows attackers to persist malicious JavaScript that executes in the browser of any user who views the affected page, up to and including version 10.11.0. The scope-change CVSS vector (S:C) indicates the injected script can break out of the plugin's context into the wider WordPress site, enabling session theft or admin-panel actions. This flaw was reported by Patchstack and currently has no public exploit identified at time of analysis.

XSS Acymailing Smtp Newsletter
NVD
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in the AcyMailing SMTP Newsletter plugin for WordPress (all versions up to and including 10.11.0) lets remote attackers inject arbitrary SQL through unsanitized input and extract database contents inference-by-inference. The CVSS 3.1 base score is 9.3, elevated by a changed scope and confidentiality impact against the underlying WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the finding originates from Patchstack.

SQLi Acymailing Smtp Newsletter
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Broken access control in the AcyMailing SMTP Newsletter plugin for WordPress (versions up to and including 10.11.1) lets an authenticated low-privileged user reach functionality that should be restricted, impacting integrity and, most notably, availability of the plugin's newsletter/mailing operations. The flaw is a missing authorization check (CWE-862) reported by Patchstack; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note an inconsistency in the source data: the CVE description states affected 'through <= 10.11.1' while the linked Patchstack advisory slug references 10.10.2 - the exact patched version is not confirmed from the input.

Authentication Bypass Acymailing Smtp Newsletter
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy