CVE-2026-57739
AcyMailing Newsletter Team · AcyMailing SMTP Newsletter
The AcyMailing SMTP Newsletter plugin for WordPress contains a Blind SQL Injection vulnerability allowing unauthenticated attackers to extract database information.
Executive summary
A critical SQL injection vulnerability in the AcyMailing SMTP Newsletter plugin enables unauthenticated attackers to compromise database data.
Vulnerability
This is a Blind SQL Injection vulnerability (CWE-89) affecting the plugin's database interaction layer. An unauthenticated attacker can supply malicious input to the application, allowing them to manipulate SQL queries and exfiltrate sensitive data from the WordPress database.
Business impact
Successful exploitation allows an attacker to bypass standard application security to read sensitive database contents, potentially including user credentials, configurations, and internal application data. The CVSS score of 9.3 highlights the severity of this risk, as it could lead to widespread unauthorized data access and potential full site takeover.
Remediation
Immediate Action: Update the AcyMailing SMTP Newsletter plugin to the latest available version (beyond 10.11.0) as provided by the vendor.
Proactive Monitoring: Review database query logs for unusual syntax or high volumes of time-based queries that indicate blind SQL injection attempts.
Compensating Controls: Implement a Web Application Firewall (WAF) with SQL injection protection rules to filter malicious payloads targeting the plugin's input fields.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the critical nature of SQL injection, administrators should prioritize updating the AcyMailing SMTP Newsletter plugin immediately. If an update is not immediately available, consider temporarily deactivating the plugin to prevent potential data exfiltration.