AcyMailing WordPress Plugin Vulnerable to Admin Takeover (CVE-2026-5200)
The National Vulnerability Database has detailed CVE-2026-5200, a critical missing authorization vulnerability in the AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin. Versions up to and including 10.8.2 are affected. This flaw stems from inadequate authorization checks, allowing authenticated attackers with subscriber-level access or higher to manipulate privileged AcyMailing configurations.
This isn’t just a configuration tweak. Attackers can export subscriber secret keys. Crucially, these actions can be chained to achieve full administrator account takeover if the target administrator’s email address is known. With a CVSS score of 8.8 (HIGH), this vulnerability represents a significant risk, enabling high impact on confidentiality, integrity, and availability.
This is a textbook case of how a seemingly minor authorization bypass can escalate into a full system compromise. The attacker’s calculus is simple: gain a low-privilege foothold, exploit the authorization flaw to elevate, and then pivot to take over the administrator account. For defenders, it means a subscriber account is no longer just a subscriber account; it’s a potential launchpad for a full breach.
What This Means For You
- If your organization uses the AcyMailing WordPress plugin, you need to check your version immediately. Patch to a remediated version beyond 10.8.2. Assume any existing subscriber accounts could be compromised and used to escalate privileges, especially if administrator email addresses are publicly known. Audit your AcyMailing configurations and logs for any unauthorized changes.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-5200 - AcyMailing Subscriber Level Configuration Modification
title: CVE-2026-5200 - AcyMailing Subscriber Level Configuration Modification
id: scw-2026-05-20-ai-1
status: experimental
level: high
description: |
Detects attempts to modify AcyMailing configuration by authenticated users with subscriber-level access or above. This rule specifically targets the 'saveconfig' task within the AcyMailing component accessed via '/wp-admin/admin.php', which is a key indicator of the vulnerability exploitation path described in CVE-2026-5200.
author: SCW Feed Engine (AI-generated)
date: 2026-05-20
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-5200/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/wp-admin/admin.php'
cs-uri-query|contains:
- 'page=acymailing_campaigns'
cs-uri-query|contains:
- 'subid='
cs-uri-query|contains:
- 'task=saveconfig'
cs-method:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-5200 | Auth Bypass | AcyMailing plugin for WordPress versions <= 10.8.2 |
| CVE-2026-5200 | Privilege Escalation | AcyMailing plugin for WordPress: modify privileged configuration |
| CVE-2026-5200 | Information Disclosure | AcyMailing plugin for WordPress: export subscriber secret keys |
| CVE-2026-5200 | Account Takeover | AcyMailing plugin for WordPress: administrator account takeover |
| CVE-2026-5200 | CWE-862: Missing Authorization in AcyMailing plugin for WordPress |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 20, 2026 at 11:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-20240 — Denial of Service
CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...
Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data
CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged
CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...