High severity8.8NVD Advisory· Published Apr 16, 2026· Updated Apr 22, 2026
CVE-2026-3614
CVE-2026-3614
Description
The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the wp_ajax_acymailing_router AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected cms_id pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: >=9.11.0, <=10.8.1
Patches
Vulnerability mechanics
References
7- plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.phpnvd
- plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.phpnvd
- plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.phpnvd
- plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/back/Core/AcymController.phpnvd
- plugins.trac.wordpress.org/browser/acymailing/tags/10.8.1/back/Core/AcymController.phpnvd
- plugins.trac.wordpress.org/browser/acymailing/trunk/WpInit/Router.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/a895e2cf-9eba-4c46-b19f-d008e1058f64nvd
News mentions
1- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 13, 2026 to April 19, 2026)Wordfence Blog · Apr 23, 2026