CVE-2026-5200HIGH 8.8EPSS p25.2%

CVE-2026-5200CVE-2026-5200

Description

The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 10.8.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify privileged AcyMailing configuration, export subscriber secret keys, and chain these actions into administrator account takeover when a target administrator email address is known.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.34% probability of exploitation · percentile 25.2% · 2026-06-19T12:03:05Z
Published2026-05-20
Last modified2026-05-20

Underlying weaknesses· 1

CWE-862

References

  1. https://plugins.trac.wordpress.org/changeset/3516422/acymailing
  2. https://www.wordfence.com/threat-intel/vulnerabilities/id/f8470662-2247-4159-9dac-f13677c94bdf?source=cve

1

TypeTargetConfidenceTier
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-3614
CVE
CVE-2026-6963
CVE
CVE-2026-6235
CVE
CVE-2025-5486
CVE
CVE-2025-26741
CVE
CVE-2025-2933
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.