Acymailing Smtp Newsletter
Monthly
Stored cross-site scripting in the AcyMailing SMTP Newsletter plugin for WordPress allows attackers to persist malicious JavaScript that executes in the browser of any user who views the affected page, up to and including version 10.11.0. The scope-change CVSS vector (S:C) indicates the injected script can break out of the plugin's context into the wider WordPress site, enabling session theft or admin-panel actions. This flaw was reported by Patchstack and currently has no public exploit identified at time of analysis.
Blind SQL injection in the AcyMailing SMTP Newsletter plugin for WordPress (all versions up to and including 10.11.0) lets remote attackers inject arbitrary SQL through unsanitized input and extract database contents inference-by-inference. The CVSS 3.1 base score is 9.3, elevated by a changed scope and confidentiality impact against the underlying WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the finding originates from Patchstack.
Broken access control in the AcyMailing SMTP Newsletter plugin for WordPress (versions up to and including 10.11.1) lets an authenticated low-privileged user reach functionality that should be restricted, impacting integrity and, most notably, availability of the plugin's newsletter/mailing operations. The flaw is a missing authorization check (CWE-862) reported by Patchstack; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note an inconsistency in the source data: the CVE description states affected 'through <= 10.11.1' while the linked Patchstack advisory slug references 10.10.2 - the exact patched version is not confirmed from the input.
Stored cross-site scripting in the AcyMailing SMTP Newsletter plugin for WordPress allows attackers to persist malicious JavaScript that executes in the browser of any user who views the affected page, up to and including version 10.11.0. The scope-change CVSS vector (S:C) indicates the injected script can break out of the plugin's context into the wider WordPress site, enabling session theft or admin-panel actions. This flaw was reported by Patchstack and currently has no public exploit identified at time of analysis.
Blind SQL injection in the AcyMailing SMTP Newsletter plugin for WordPress (all versions up to and including 10.11.0) lets remote attackers inject arbitrary SQL through unsanitized input and extract database contents inference-by-inference. The CVSS 3.1 base score is 9.3, elevated by a changed scope and confidentiality impact against the underlying WordPress database. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the finding originates from Patchstack.
Broken access control in the AcyMailing SMTP Newsletter plugin for WordPress (versions up to and including 10.11.1) lets an authenticated low-privileged user reach functionality that should be restricted, impacting integrity and, most notably, availability of the plugin's newsletter/mailing operations. The flaw is a missing authorization check (CWE-862) reported by Patchstack; there is no public exploit identified at time of analysis and it is not listed in CISA KEV. Note an inconsistency in the source data: the CVE description states affected 'through <= 10.11.1' while the linked Patchstack advisory slug references 10.10.2 - the exact patched version is not confirmed from the input.