What the vulnerability does
01Description
The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 10.8.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify privileged AcyMailing configuration, export subscriber secret keys, and chain these actions into administrator account takeover when a target administrator email address is known.
Explanation of Vulnerability in Simple Terms
02Summary
AcyMailing versions up to 10.8.2 lack proper authorization checks, allowing authenticated users with low privileges to read, modify, or delete sensitive data and functionality. An attacker with a basic WordPress account can access restricted features without additional verification. This affects all installations running the vulnerable version range.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete data and settings they should not have access to.
Potential impact on your site
04Site Impact
Unauthorized users can tamper with newsletter campaigns, subscriber lists, and marketing automation settings.
Conditions required to exploit
05Prerequisites
Attacker needs a low-privilege WordPress user account (e.g., subscriber or contributor).
Key dates
06Disclosure timeline
May 20, 2026
CVE published
May 20, 2026
Record updated
