CVE-2026-5200

AcyMailing · AcyMailing Newsletter Plugin

The AcyMailing WordPress plugin contains a missing authorization vulnerability that could allow unauthorized users to perform sensitive actions.

Executive summary

A high-severity missing authorization vulnerability in the AcyMailing WordPress plugin could allow unauthenticated or low-privileged users to perform unauthorized administrative actions.

Vulnerability

The plugin fails to perform adequate authorization checks, which can allow unauthorized users to trigger functions intended only for administrators or authorized users. This flaw facilitates unauthorized management of newsletter data and automation workflows.

Business impact

With a CVSS score of 8.8, this vulnerability poses a severe threat to the integrity and confidentiality of the WordPress environment. Unauthorized access to marketing automation tools can lead to the mass distribution of malicious content, manipulation of customer mailing lists, and potential compromise of the underlying WordPress site.

Remediation

Immediate Action: Update the AcyMailing plugin to the latest version immediately to ensure necessary authorization checks are enforced.

Proactive Monitoring: Review WordPress audit logs for unexpected configuration changes or mass email activity initiated by non-administrative accounts.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules configured to block suspicious requests targeting plugin administrative endpoints.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Plugin vulnerabilities are a primary attack vector for WordPress sites. Administrators must verify the version of AcyMailing in use and apply the latest vendor update to close this authorization gap and protect sensitive subscriber data.