CVE-2026-3614

Name of the Vulnerable Software and Affected Versions AcyMailing versions 9.11.0 through 10.8.1

Description A missing capability check on the 'wp ajax acymailing router' AJAX handler allows authenticated attackers with Subscriber-level access or higher to access admin-only controllers, including configuration management. This flaw enables the activation of the autologin feature and the creation of a malicious newsletter subscriber with an injected cms id pointing to any user, allowing the attacker to authenticate as that user, including administrators.

Recommendations Update to version 10.8.2.