CVE-2026-3614

EPSS 0.02%
Veröffentlicht 16.04.2026 05:29:54
Zuletzt bearbeitet 16.04.2026 06:16:18
Quelle security@wordfence.com
CVE-Watchlists
Login
Unerledigt
Login

The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 10

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstelleracyba

≫

Produkt AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress

Default Statusunaffected

Version <= 10.8.1

Version 9.11.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.046

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security@wordfence.com	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

https://www.wordfence.com/threat-intel/vulnerabilities/id/a895e2cf-9eba-4c46-b19f-d008e1058f64?source=cve

https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.php#L11

https://plugins.trac.wordpress.org/browser/acymailing/trunk/WpInit/Router.php#L11

https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.php#L122

https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.php#L230

https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/back/Core/AcymController.php#L92

https://plugins.trac.wordpress.org/browser/acymailing/tags/10.8.1/back/Core/AcymController.php#L99

https://nvd.nist.gov/vuln/detail/CVE-2026-3614

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-3614

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-3614

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-3614