High severity8.8NVD Advisory· Published Apr 16, 2026· Updated Apr 22, 2026
CVE-2026-3614
CVE-2026-3614
Description
The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the wp_ajax_acymailing_router AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected cms_id pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.phpnvd
- plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.phpnvd
- plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.phpnvd
- plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/back/Core/AcymController.phpnvd
- plugins.trac.wordpress.org/browser/acymailing/tags/10.8.1/back/Core/AcymController.phpnvd
- plugins.trac.wordpress.org/browser/acymailing/trunk/WpInit/Router.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/a895e2cf-9eba-4c46-b19f-d008e1058f64nvd
News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 13, 2026 to April 19, 2026)Wordfence Blog · Apr 23, 2026