Introduction
A missing authorization check in the AcyMailing WordPress plugin allows any authenticated user with Subscriber level access to chain together configuration tampering and secret key exfiltration into a full administrator account takeover. With over 7,000 active installations and a CVSS score of 8.8, this vulnerability represents a meaningful risk for WordPress sites that rely on AcyMailing for newsletter and marketing automation.
AcyMailing is a WordPress plugin developed by the AcyMailing Newsletter Team that provides drag and drop email editing, automated newsletter workflows, and subscriber data personalization. It serves as a self hosted alternative to SaaS email marketing platforms, making it popular among organizations that want to keep their mailing list data on their own infrastructure. That positioning also means a compromise of the plugin can expose both the WordPress admin panel and the subscriber data it manages.
Technical Information
CVE-2026-5200 is classified under CWE-862 (Missing Authorization). The flaw lives in the acymailing_router component, which handles incoming requests and dispatches them to various plugin functions. The core problem is that this router does not perform adequate capability checks before executing privileged operations. A request from a Subscriber is processed with the same trust level as a request from an Administrator.
The CVSS 3.1 vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This tells us the vulnerability is network exploitable with low complexity, requires only low privileges (a valid Subscriber account), needs no user interaction, and scores high across all three impact dimensions: confidentiality, integrity, and availability.
Attack Flow
The exploitation path is a chained attack that proceeds through several stages:
-
Obtain Subscriber access. The attacker either registers a new account on a WordPress site that allows open registration or uses an existing Subscriber level account. This is the only prerequisite.
-
Modify privileged AcyMailing configuration. The attacker sends crafted requests to the
acymailing_routerendpoint. Because the router lacks proper authorization verification, these requests to modify plugin configuration are accepted and executed regardless of the caller's actual WordPress role. -
Export subscriber secret keys. Using the same authorization gap, the attacker extracts secret keys associated with subscriber records. These keys are internal to AcyMailing's authentication and session management logic.
-
Chain into administrator takeover. If the attacker knows the email address of a site administrator (a piece of information that is frequently discoverable through WordPress author pages, public comments, or simple enumeration), they can combine the modified configuration and the exported secret keys to impersonate the administrator and gain full control of the WordPress site.
Patch Details
The fix was shipped in version 10.9.0, which was a large release touching 170 files. The security relevant changes were concentrated in two files: WpInit/Router.php and back/Core/wordpress/security.php. These are the components responsible for request routing and access control enforcement, respectively. A follow up release, version 10.9.1 (released April 29, 2026), corrected additional issues where the new access controls were overly restrictive and prevented some legitimate features from functioning correctly based on access rights.
Affected Systems and Versions
All versions of the AcyMailing WordPress plugin up to and including version 10.8.2 are vulnerable. The fix is available starting in version 10.9.0, with version 10.9.1 recommended as the preferred update target due to access control regressions in the initial patch release.
| Detail | Value |
|---|---|
| Vulnerable versions | All versions through 10.8.2 |
| Fixed in | 10.9.0 (10.9.1 recommended) |
| Active installations | Over 7,000 |
| Required attacker privilege | Subscriber (or any authenticated role) |
Any WordPress site running AcyMailing with open user registration enabled is at elevated risk, as the only prerequisite for exploitation is a valid authenticated session at the Subscriber level.
Vendor Security History
The disclosure of CVE-2026-5200 comes just weeks after CVE-2026-3614, a structurally similar vulnerability published on April 16, 2026. That earlier flaw affected AcyMailing versions 9.11.0 through 10.8.1 and also involved a missing capability check on the AJAX router. In that case, the exploitation path leveraged the autologin feature to escalate from Subscriber to Administrator.
The recurrence of the same vulnerability class (missing authorization in the router) in rapid succession suggests a systemic issue with how AcyMailing implements access control around its request dispatching logic. Rather than a one off coding error, this pattern indicates that the router's architecture may not enforce capability checks by default, leaving individual endpoints responsible for their own authorization, a design that is prone to exactly this type of oversight.



