Acymailing – An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress
Approved changes feed: RSS · Atom
cpe:2.3:a:acyba:acymailing_–_an_ultimate_newsletter_plugin_and_marketing_automation_solution_for_wordpress:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Acyba (a281a712-9712-5e0c-986a-c9be95369b4c) |
|---|---|
| Product | Acymailing – An Ultimate Newsletter Plugin And Marketing Automation Solution For Wordpress (9639497b-9c3b-51a5-aa9f-1bf435e39278) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from gcve-enriched-dumps CVE data |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-5200 |
vulnerable | 2026-06-03 15:26:26.778754 |
AcyMailing <= 10.8.2 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via 'acymailing_router'
HIGH (8.8)
The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 10.8.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify privileged AcyMailing configuration, export subscriber secret keys, and chain these actions into administrator account takeover when a target administrator email address is known.
Published: 2026-05-20T06:46:04.209Z
Updated: 2026-05-20T12:19:49.898Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-3614 |
vulnerable | 2026-06-03 15:23:33.209354 |
AcyMailing 9.11.0 - 10.8.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation
HIGH (8.8)
The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators.
Published: 2026-04-16T05:29:54.350Z
Updated: 2026-04-16T13:42:14.595Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-7384 |
vulnerable | 2026-06-03 14:58:05.763566 |
AcyMailing <= 9.7.2 - Authenticated (Subscriber+) Arbitrary File Upload via acym_extractArchive Function
HIGH (7.5)
The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the acym_extractArchive function in all versions up to, and including, 9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Published: 2024-08-22T02:02:02.326Z
Updated: 2026-04-08T16:35:04.094Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.