AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress Plugin <= 10.8.2 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/acymailing--an-ultimate-newsletter-plugin-and-marketing-automation-solution-for-wordpress-plugin--10.8.2/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 20 May 2026 08:17:06 +0000AcyMailing WordPress Plugin Missing Authorization Vulnerability (CVE-2026-5200)https://feed.craftedsignal.io/briefs/2026-05-acymailing-auth-bypass/Wed, 20 May 2026 08:17:06 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-acymailing-auth-bypass/The AcyMailing plugin for WordPress is vulnerable to a missing authorization issue (CVE-2026-5200), allowing authenticated attackers with subscriber-level access to modify privileged AcyMailing configuration, export subscriber secret keys, and potentially achieve administrator account takeover if the administrator's email address is known.The AcyMailing plugin for WordPress, up to version 10.8.2, suffers from a missing authorization vulnerability (CVE-2026-5200). This flaw enables authenticated attackers with minimal subscriber-level privileges to bypass authorization checks and perform actions normally reserved for administrators. This includes modifying sensitive plugin configurations and exporting subscriber secret keys. A successful exploit could lead to a complete compromise of the WordPress installation, especially if the attacker knows the email address of an administrator, facilitating an account takeover. Defenders should prioritize patching and monitoring activity related to this plugin.

Attack Chain

  1. An attacker registers an account on the WordPress site, obtaining subscriber-level access.
  2. The attacker authenticates to the WordPress site using their subscriber credentials.
  3. The attacker crafts a malicious HTTP request to modify AcyMailing configuration settings, bypassing authorization checks.
  4. The attacker modifies settings related to email sending or subscriber management within AcyMailing.
  5. The attacker crafts a separate HTTP request to export subscriber secret keys, again bypassing authorization checks.
  6. The attacker analyzes the exported secret keys to gain further access or impersonate subscribers.
  7. If the attacker knows the administrator’s email address, they leverage the modified settings and exported data to attempt an administrator account takeover.
  8. Successful account takeover grants the attacker full control over the WordPress site.

Impact

Successful exploitation of this vulnerability allows attackers to modify AcyMailing settings, potentially leading to spam campaigns originating from the compromised WordPress site. More critically, an attacker can export subscriber secret keys, which could be used for malicious purposes. If the administrator’s email is known, the attacker can leverage these exploits to achieve full administrator account takeover, leading to website defacement, data theft, or complete system compromise. The severity of this issue is reflected in its CVSS v3.1 base score of 8.8.

Recommendation

  • Immediately update the AcyMailing plugin to the latest version, which includes a fix for CVE-2026-5200.
  • Deploy the Sigma rules provided to detect unauthorized modification attempts on AcyMailing configuration.
  • Monitor WordPress web server logs for suspicious HTTP requests targeting AcyMailing endpoints, particularly those attempting to modify configuration settings.
  • Review AcyMailing access logs for any unusual activity originating from subscriber-level accounts.
]]>highadvisoryacymailingwordpressauthorization-bypassprivilege-escalation