CVE-2026-57739

AcyMailing Newsletter Team · AcyMailing SMTP Newsletter

The AcyMailing SMTP Newsletter plugin for WordPress contains a Blind SQL Injection vulnerability allowing unauthenticated attackers to extract database information.

Executive summary

A critical SQL injection vulnerability in the AcyMailing SMTP Newsletter plugin enables unauthenticated attackers to compromise database data.

Vulnerability

This is a Blind SQL Injection vulnerability (CWE-89) affecting the plugin's database interaction layer. An unauthenticated attacker can supply malicious input to the application, allowing them to manipulate SQL queries and exfiltrate sensitive data from the WordPress database.

Business impact

Successful exploitation allows an attacker to bypass standard application security to read sensitive database contents, potentially including user credentials, configurations, and internal application data. The CVSS score of 9.3 highlights the severity of this risk, as it could lead to widespread unauthorized data access and potential full site takeover.

Remediation

Immediate Action: Update the AcyMailing SMTP Newsletter plugin to the latest available version (beyond 10.11.0) as provided by the vendor.

Proactive Monitoring: Review database query logs for unusual syntax or high volumes of time-based queries that indicate blind SQL injection attempts.

Compensating Controls: Implement a Web Application Firewall (WAF) with SQL injection protection rules to filter malicious payloads targeting the plugin's input fields.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the critical nature of SQL injection, administrators should prioritize updating the AcyMailing SMTP Newsletter plugin immediately. If an update is not immediately available, consider temporarily deactivating the plugin to prevent potential data exfiltration.