{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3614", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-05T18:21:42.550Z", "datePublished": "2026-04-16T05:29:54.350Z", "dateUpdated": "2026-04-16T13:42:14.595Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T05:29:54.350Z"}, "affected": [{"vendor": "acyba", "product": "AcyMailing \u2013 An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress", "versions": [{"version": "9.11.0", "status": "affected", "lessThanOrEqual": "10.8.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators."}], "title": "AcyMailing 9.11.0 - 10.8.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a895e2cf-9eba-4c46-b19f-d008e1058f64?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.php#L11"}, {"url": "https://plugins.trac.wordpress.org/browser/acymailing/trunk/WpInit/Router.php#L11"}, {"url": "https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.php#L122"}, {"url": "https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.php#L230"}, {"url": "https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/back/Core/AcymController.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/acymailing/tags/10.8.1/back/Core/AcymController.php#L99"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Ren Voza"}], "timeline": [{"time": "2026-03-06T10:49:04.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-15T16:43:55.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T13:28:56.236941Z", "id": "CVE-2026-3614", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:42:14.595Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3614", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-16T13:28:56.236941Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T13:29:01.238Z"}}], "cna": {"title": "AcyMailing 9.11.0 - 10.8.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation", "credits": [{"lang": "en", "type": "finder", "value": "Ren Voza"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "acyba", "product": "AcyMailing \u2013 An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress", "versions": [{"status": "affected", "version": "9.11.0", "versionType": "semver", "lessThanOrEqual": "10.8.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-06T10:49:04.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-15T16:43:55.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a895e2cf-9eba-4c46-b19f-d008e1058f64?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.php#L11"}, {"url": "https://plugins.trac.wordpress.org/browser/acymailing/trunk/WpInit/Router.php#L11"}, {"url": "https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.php#L122"}, {"url": "https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.php#L230"}, {"url": "https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/back/Core/AcymController.php#L92"}, {"url": "https://plugins.trac.wordpress.org/browser/acymailing/tags/10.8.1/back/Core/AcymController.php#L99"}], "descriptions": [{"lang": "en", "value": "The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-16T05:29:54.350Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3614", "state": "PUBLISHED", "dateUpdated": "2026-04-16T13:42:14.595Z", "dateReserved": "2026-03-05T18:21:42.550Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-16T05:29:54.350Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators."}], "id": "CVE-2026-3614", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-16T06:16:18.167", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.php#L11"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.php#L122"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.php#L230"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/back/Core/AcymController.php#L92"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/acymailing/tags/10.8.1/back/Core/AcymController.php#L99"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/acymailing/trunk/WpInit/Router.php#L11"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a895e2cf-9eba-4c46-b19f-d008e1058f64?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[9.11.0,10.8.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "AcyMailing \u2013 An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress", "source": "cna", "vendor": "acyba"}, "product": "acymailing_\u2013_an_ultimate_newsletter_plugin_and_marketing_automation_solution_for_wordpress", "vendor": "acyba"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-16T08:55:02.381063+00:00", "value": {"mitigation_remediation": ["Upgrade AcyMailing to version 10.8.2 or later, which resolves the missing capability check. If no newer version is available, contact acyba for a patch or disable the affected router endpoint.", "Restrict or remove Subscriber\u2011level users who do not require the capability to access administrative functions, and review role capabilities to ensure only trusted users have the abilities that allow them to use the wp_ajax_acymailing_router endpoint.", "If the autologin feature is not required, disable it or restrict it so that an attacker cannot leverage an autologin link even if they have created a malicious subscriber record, thereby limiting the potential for credential compromise."], "summary": {"action": "Patch Immediately", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "All installations of the AcyMailing WordPress plugin from version 9.11.0 through 10.8.1 are vulnerable. This includes any site using these plugin versions, regardless of hosting environment or customizations, as the error resides in the core router and controller files. The vendor providing the plugin is acyba, known as AcyMailing \u2013 An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress. Users should verify the installed plugin version and apply an update if their site remains on any of these vulnerable releases.", "description_and_impact": "The plugin allows authenticated subscribers to bypass capability checks on the wp_ajax_acymailing_router AJAX handler, enabling access to admin controllers such as configuration management. This flaw permits authenticated attackers with Subscriber-level access or higher to enable the autologin feature, create a malicious subscriber record that references any existing WordPress user via the cms_id field, and then use the autologin URL to log in as that user. The attacker can therefore gain full administrative control, exfiltrate data, modify settings, or deploy further malware. The weakness is a missing authorization check, identified as CWE\u2011862.", "risk_and_exploitability": "The CVSS score of 8.8 indicates high severity, and the EPSS score is unavailable, meaning a precise exploitation likelihood cannot be quantified. The vulnerability is not listed in CISA\u2019s KEV catalog, but the impact remains significant because an attacker with any Subscriber role can escape privileges without needing elevated credentials. The attack requires authenticated access, so it is confined to sites that allow unauthenticated users to log in at least as Subscribers. Once authenticated, the attacker can immediately exploit the missing check to trigger the sequence that builds a malicious subscriber and leverages the autologin link to impersonate higher\u2011privilege users."}}}}, "created": "2026-04-16T09:00:05.291231+00:00", "updated": "2026-04-16T09:11:45.773482+00:00", "vendors": ["acyba", "acyba$PRODUCT$acymailing_\u2013_an_ultimate_newsletter_plugin_and_marketing_automation_solution_for_wordpress", "wordpress", "wordpress$PRODUCT$wordpress"]}