WordPress Plugin Flaw Lets Subscribers Hijack Admin Accounts

/HIGH
SCW vulnerabilitycvehigh-severityprivilege-escalationcwe-862
WordPress Plugin Flaw Lets Subscribers Hijack Admin Accounts

Shimi’s Cyber World has learned that the AcyMailing plugin for WordPress harbors a critical privilege escalation vulnerability. According to the National Vulnerability Database, all versions from 9.11.0 up to and including 10.8.1 are affected by a missing capability check in the wp_ajax_acymailing_router AJAX handler.

This oversight is serious. It allows authenticated attackers, even those with basic Subscriber-level access, to bypass intended restrictions. The National Vulnerability Database notes that attackers can exploit this to access administrator-only controllers, enabling them to modify plugin configurations. Furthermore, they can activate the autologin feature, provision a new subscriber with a specially crafted cms_id that targets any WordPress user, and then use a generated autologin URL to impersonate that user, including administrators.

Related ATT&CK Techniques

T1078.004 Abuse Elevation Control Mechanism: Sudo and Operating System Job Scheduling Privilege Escalation T1068 Exploitation for Privilege Escalation Privilege Escalation T1136.003 Create Account: Cloud Account Persistence

🛡️ Detection Rules

4 rules · 6 SIEM formats

4 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, QRadar AQL, and Wazuh.

high T1078.004 Initial Access

Credential Abuse from Breached Vendor — CVE-2026-3614

✓ Sigma 🔒 Splunk SPL 🔒 Sentinel KQL 🔒 Elastic 🔒 QRadar AQL 🔒 Wazuh

Want this in your SIEM's native format? Get Splunk SPL, Sentinel KQL, Elastic, QRadar AQL, or Wazuh — ready to paste.

4 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get All SIEM Formats →

Indicators of Compromise

IDTypeIndicator
CVE-2026-3614 Privilege Escalation AcyMailing plugin for WordPress versions 9.11.0 - 10.8.1
CVE-2026-3614 Privilege Escalation Missing capability check on `wp_ajax_acymailing_router` AJAX handler
CVE-2026-3614 Privilege Escalation Authenticated attackers with Subscriber-level access can access admin-only controllers
CVE-2026-3614 Privilege Escalation Ability to create malicious newsletter subscriber with injected `cms_id`

By Shimi's Cyber World Editorial

Related Posts

Rsync Vulnerability Exposes Users to Use-After-Free Flaw

CVE-2026-41035 — In rsync 3.0.1 through 3.4.1, receive_xattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim...

vulnerabilityCVEhigh-severityuse-after-freecwe-130
/HIGH /⚑ 3 IOCs

CVE-2026-41034 — ONLYOFFICE DocumentServer before 9.3.0 has an untrusted

CVE-2026-41034 — ONLYOFFICE DocumentServer before 9.3.0 has an untrusted pointer dereference in XLS processing/conversion (via pictFmla.cbBufInCtlStm and other vectors), leading to an information leak and...

vulnerabilityCVEcwe-125
/MEDIUM /⚑ 2 IOCs

CVE-2026-41030 — In ONLYOFFICE DesktopEditors before 9.3.0, the update

CVE-2026-41030 — In ONLYOFFICE DesktopEditors before 9.3.0, the update service allows attackers to perform actions on files with SYSTEM privileges.

vulnerabilityCVEcwe-669
/MEDIUM /⚑ 2 IOCs