What the vulnerability does
01Description
The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators.
Explanation of Vulnerability in Simple Terms
02Summary
AcyMailing versions 9.11.0 through 10.8.1 lack proper authorization checks, allowing authenticated users with low privileges to read, modify, or delete sensitive data and functionality. An attacker with a standard user account can perform actions restricted to administrators without additional verification. This affects the plugin's core mailing and automation features.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete sensitive data and administrative functions with a low-privilege user account.
Potential impact on your site
04Site Impact
Unauthorized users can access and alter newsletter campaigns, subscriber lists, and marketing automation settings.
Conditions required to exploit
05Prerequisites
Attacker must have a valid WordPress user account with low privileges (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
April 16, 2026
CVE published
April 16, 2026
Record updated