CVE-2026-57740 HIGH

CVE-2026-57740: WordPress AcyMailing SMTP Newsletter plugin <= 10.11.1 - Broken Access Control vulnerability

Vendor Acymailing Newsletter Team
Product AcyMailing SMTP Newsletter
Weakness CWE-862 · Missing authorization
Published July 13, 2026
Last update July 13, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

Missing Authorization vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AcyMailing SMTP Newsletter: from n/a through <= 10.11.1.

Explanation of Vulnerability in Simple Terms

02Summary

AcyMailing SMTP Newsletter versions up to 10.11.1 lack proper authorization checks, allowing authenticated users to modify newsletter settings and disable the service. An attacker with low-level access can alter configurations or cause the newsletter system to become unavailable. Site administrators should update to a version newer than 10.11.1 to restore proper access controls.

What an attacker can do

03Attacker Capabilities

Modify newsletter settings or disable the newsletter service without proper authorization.

Potential impact on your site

04Site Impact

Newsletter functionality may be disrupted or misconfigured by unauthorized users with basic site access.

Conditions required to exploit

05Prerequisites

Attacker must have a low-level user account on the site; no special interaction required.

Key dates

06Disclosure timeline

July 13, 2026 CVE published

Related vulnerabilities

08Related CVE