{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/acymailing/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2026-3614"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["wordpress","privilege-escalation","acymailing"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe AcyMailing plugin for WordPress, a popular email marketing tool, contains a critical privilege escalation vulnerability, tracked as CVE-2026-3614. Affecting versions 9.11.0 through 10.8.1, the vulnerability stems from a missing capability check on the \u003ccode\u003ewp_ajax_acymailing_router\u003c/code\u003e AJAX handler. This oversight allows authenticated attackers with minimal privileges (Subscriber level or higher) to bypass access controls intended to restrict access to administrative functions. Successful exploitation of this flaw allows attackers to perform actions reserved for administrators, including modifying configuration settings, enabling autologin features, and ultimately, compromising the entire WordPress installation. This is a critical vulnerability due to the widespread use of AcyMailing and the potential for complete site takeover.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains subscriber-level access to the WordPress site (e.g., through registration or compromised credentials).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious AJAX request targeting the \u003ccode\u003ewp_ajax_acymailing_router\u003c/code\u003e endpoint. This request attempts to access admin-only controllers without proper authentication.\u003c/li\u003e\n\u003cli\u003eDue to the missing capability check, the server processes the request, granting the attacker access to restricted administrative functions within AcyMailing.\u003c/li\u003e\n\u003cli\u003eThe attacker enables the autologin feature within AcyMailing\u0026rsquo;s configuration, using the exposed administrative controller.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new AcyMailing subscriber.  Crucially, the attacker injects a malicious \u003ccode\u003ecms_id\u003c/code\u003e value into the subscriber\u0026rsquo;s data. This \u003ccode\u003ecms_id\u003c/code\u003e is crafted to point to the WordPress user account they wish to impersonate (e.g., an administrator account).\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the autologin URL generated for the newly created (and malicious) subscriber.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the autologin URL.\u003c/li\u003e\n\u003cli\u003eThe AcyMailing plugin, configured with the now-enabled autologin feature, authenticates the attacker as the user specified by the injected \u003ccode\u003ecms_id\u003c/code\u003e, granting them full administrative access to the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3614 allows an attacker to escalate privileges from a subscriber to an administrator. This grants the attacker complete control over the WordPress website, including the ability to modify content, install malicious plugins, create new administrator accounts, and potentially compromise the underlying server. This vulnerability impacts any WordPress site running a vulnerable version of the AcyMailing plugin (9.11.0 through 10.8.1). The severity is critical due to the ease of exploitation and the potential for complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the AcyMailing plugin to the latest version (greater than 10.8.1) to patch CVE-2026-3614.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;AcyMailing Unauthorized AJAX Access Attempt\u0026rdquo; to detect attempts to exploit the vulnerability by monitoring for access to the \u003ccode\u003ewp_ajax_acymailing_router\u003c/code\u003e endpoint from non-administrator users.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/wp-admin/admin-ajax.php\u003c/code\u003e with the \u003ccode\u003eaction=acymailing_router\u003c/code\u003e parameter, as this is the entry point for exploiting CVE-2026-3614.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-16T06:16:18Z","date_published":"2026-04-16T06:16:18Z","id":"/briefs/2026-04-acymailing-privesc/","summary":"The AcyMailing plugin for WordPress is vulnerable to privilege escalation (CVE-2026-3614), allowing authenticated attackers with subscriber-level access to gain administrative privileges.","title":"AcyMailing Plugin Privilege Escalation Vulnerability (CVE-2026-3614)","url":"https://feed.craftedsignal.io/briefs/2026-04-acymailing-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Acymailing","version":"https://jsonfeed.org/version/1.1"}