Vulnerabilities and security researches foracymailing acymailing

Apr 16, 2026

CVE, Research URL: CVE-2026-3614
Home page URL: Security reports for AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
Application: AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
Date: Apr 16, 2026
Research Description: The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators.
Affected versions: max 10.8.2.
Status: vulnerable

Feb 16, 2025

CVE, Research URL: CVE-2025-24617
Home page URL: Security reports for AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
Application: AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
Date: Feb 14, 2025
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter allows Reflected XSS. This issue affects AcyMailing SMTP Newsletter: from n/a through n/a.
Affected versions: max 9.11.1.
Status: vulnerable

Aug 23, 2024

CVE, Research URL: CVE-2024-7384
Home page URL: Security reports for AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
Application: AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
Date: Aug 22, 2024
Research Description: The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the acym_extractArchive function in all versions up to, and including, 9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions: max 9.8.0.
Status: vulnerable

Jun 06, 2024

CVE, Research URL: CVE-2023-41867
Home page URL: Security reports for AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
Application: AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
Date: Sep 26, 2023
Research Description: Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in AcyMailing Newsletter Team AcyMailing plugin <= 8.6.2 versions.
Affected versions: max 8.6.3.
Status: vulnerable

CVE, Research URL: CVE-2021-24288
Home page URL: Security reports for AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
Application: AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress
Date: May 17, 2021
Research Description: When subscribing using AcyMailing, the 'redirect' parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim.
Affected versions: max 7.5.0.
Status: vulnerable