WordPress Plugin Vulnerabilities

AcyMailing 9.11.0 - 10.8.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation

Description

The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators.

Affects Plugins

Plugin icon
acymailing
Fixed in 10.8.2

References

CVE
CVE-2026-3614
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a895e2cf-9eba-4c46-b19f-d008e1058f64

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
8.8 (high)

Miscellaneous

Original Researcher
Ren Voza
Verified
No
WPVDB ID
90abbe1a-506d-4730-908a-88089ac3b432

Timeline

Publicly Published
2026-04-15 (about 28 days ago)
Added
2026-04-15 (about 28 days ago)
Last Updated
2026-04-16 (about 27 days ago)

Other

Published
Title
Published
2026-01-27
Title
NextMove Lite < 2.24.0 - Missing Authorization
Published
2026-01-29
Title
Broken Link Notifier < 1.3.6 - Missing Authorization
Published
2024-12-10
Title
RapidLoad – Optimize Web Vitals Automatically < 2.4.3 - Missing Authorization to Authenticated (Subscriber+) Plugin Settings Modification and SQL Injection
Published
2024-04-22
Title
Podlove Podcast Publisher < 4.0.15 - Cross-Site Request Forgery
Published
2026-02-07
Title
Shopwell < 1.0.12 - Missing Authorization