📄 Description (English)
The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators.
🤖 AI Executive Summary
CVE-2026-3614 is a critical privilege escalation vulnerability in AcyMailing WordPress plugin (versions 9.11.0-10.8.1) allowing authenticated Subscriber-level users to escalate privileges to Administrator through missing capability checks in AJAX handlers. Attackers can exploit this to create malicious newsletter subscribers with injected user IDs and use autologin features to impersonate any user including admins. With CVSS 8.8 and no patch currently available, this poses immediate risk to WordPress installations across Saudi organizations.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 23, 2026 09:45
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations using WordPress with AcyMailing plugin, particularly: (1) Government agencies and NCA-regulated entities using WordPress for citizen services and communications; (2) Banking and financial institutions (SAMA-regulated) using WordPress for customer portals and newsletters; (3) Healthcare providers using WordPress for patient communication and appointment systems; (4) Telecom operators (STC, Mobily, Zain) using WordPress for customer engagement; (5) E-commerce and retail sectors managing customer databases. The privilege escalation to admin-level access enables complete system compromise, data theft, malware injection, and lateral movement to connected systems.
🏢 Affected Saudi Sectors
Government and Public Administration
Banking and Financial Services
Healthcare and Medical Services
Telecommunications
E-commerce and Retail
Education
Energy and Utilities
🎯 MITRE ATT&CK Techniques
T1548 - Abuse Elevation Control Mechanism
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1078 - Valid Accounts
T1078.001 - Valid Accounts: Default Accounts
T1087 - Account Discovery
T1098 - Account Manipulation
T1098.001 - Account Manipulation: Additional Cloud Credentials
T1110 - Brute Force
T1190 - Exploit Public-Facing Application
T1199 - Trusted Relationship
⚖️ Saudi Risk Score (AI)
9.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all WordPress installations using AcyMailing plugin versions 9.11.0-10.8.1 across your organization
2. Disable the AcyMailing plugin immediately as a temporary measure until patch is available
3. Review user access logs for suspicious AJAX requests to wp_ajax_acymailing_router endpoint
4. Audit all user accounts created or modified in the past 30 days, especially newsletter subscribers
5. Check for unauthorized autologin URLs in newsletter content and subscriber records
PATCHING GUIDANCE:
- Monitor AcyMailing official repository for security patch release
- Once patch is available, apply immediately after testing in non-production environment
- Update to version beyond 10.8.1 when released
COMPENSATING CONTROLS (if plugin cannot be disabled):
1. Implement Web Application Firewall (WAF) rules to block requests to wp_ajax_acymailing_router from non-admin users
2. Restrict AJAX handler access via .htaccess or nginx configuration to admin users only
3. Implement strict capability checks at database level for newsletter subscriber creation
4. Disable autologin feature in AcyMailing settings immediately
5. Implement IP whitelisting for admin AJAX requests
6. Enable WordPress security logging and monitor for privilege escalation attempts
DETECTION RULES:
- Monitor for POST requests to /wp-admin/admin-ajax.php?action=acymailing_router from non-admin users
- Alert on creation of newsletter subscribers with cms_id values matching existing WordPress user IDs
- Monitor for autologin URL generation and usage patterns
- Track failed and successful privilege escalation attempts in WordPress audit logs
- Monitor for unusual AJAX requests originating from Subscriber-level accounts
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات WordPress التي تستخدم مكون AcyMailing من الإصدارات 9.11.0-10.8.1 عبر منظمتك
2. تعطيل مكون AcyMailing فوراً كإجراء مؤقت حتى يتوفر التصحيح
3. مراجعة سجلات الوصول للمستخدمين بحثاً عن طلبات AJAX المريبة إلى نقطة نهاية wp_ajax_acymailing_router
4. تدقيق جميع حسابات المستخدمين التي تم إنشاؤها أو تعديلها في آخر 30 يوماً، خاصة مشتركي النشرات الإخبارية
5. التحقق من عناوين URL تسجيل الدخول التلقائي غير المصرح بها في محتوى النشرة الإخبارية وسجلات المشتركين
إرشادات التصحيح:
- مراقبة مستودع AcyMailing الرسمي لإصدار تصحيح الأمان
- عند توفر التصحيح، قم بتطبيقه فوراً بعد الاختبار في بيئة غير الإنتاج
- التحديث إلى إصدار يتجاوز 10.8.1 عند إصداره
الضوابط البديلة (إذا لم يتمكن من تعطيل المكون):
1. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات إلى wp_ajax_acymailing_router من المستخدمين غير الإداريين
2. تقييد الوصول إلى معالج AJAX عبر .htaccess أو تكوين nginx للمستخدمين الإداريين فقط
3. تنفيذ فحوصات القدرات الصارمة على مستوى قاعدة البيانات لإنشاء مشتركي النشرات الإخبارية
4. تعطيل ميزة تسجيل الدخول التلقائي في إعدادات AcyMailing فوراً
5. تنفيذ القائمة البيضاء للعناوين IP لطلبات AJAX الإدارية
6. تفعيل تسجيل أمان WordPress ومراقبة محاولات تصعيد الامتيازات
قواعد الكشف:
- مراقبة طلبات POST إلى /wp-admin/admin-ajax.php?action=acymailing_router من المستخدمين غير الإداريين
- التنبيه عند إنشاء مشتركي النشرات الإخبارية برموز cms_id تطابق معرفات مستخدمي WordPress الموجودين
- مراقبة توليد واستخدام عناوين URL تسجيل الدخول التلقائي
- تتبع محاولات تصعيد الامتيازات الفاشلة والناجحة في سجلات تدقيق WordPress
- مراقبة طلبات AJAX غير العادية التي تنشأ من حسابات على مستوى المشترك
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.9.2.1 - User access management and privilege escalation prevention
ECC 2024 A.9.4.3 - Authentication and authorization controls
ECC 2024 A.12.4.1 - Event logging and monitoring of security events
ECC 2024 A.14.2.1 - Secure development and vulnerability management
🔵 SAMA CSF
SAMA CSF ID.AM-2 - Software and hardware inventory management
SAMA CSF PR.AC-1 - Access control and authentication mechanisms
SAMA CSF PR.AC-4 - Access rights and privilege management
SAMA CSF DE.CM-1 - Detection and monitoring of unauthorized access attempts
🟡 ISO 27001:2022
ISO 27001:2022 A.5.15 - Access control
ISO 27001:2022 A.8.2 - User endpoint devices
ISO 27001:2022 A.8.3 - User access management
ISO 27001:2022 A.8.4 - Access rights
ISO 27001:2022 A.8.32 - Change management
🟣 PCI DSS v4.0.1
PCI DSS 2.1 - Inventory of system components
PCI DSS 6.2 - Security patches and updates
PCI DSS 7.1 - Limit access to system components
PCI DSS 8.2 - User identification and authentication
🔗 References & Sources 7
🔗
🔗
🔗
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.php#L11
security@wordfence.com
https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.php#L122
security@wordfence.com
https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/WpInit/Router.php#L230
security@wordfence.com
https://plugins.trac.wordpress.org/browser/acymailing/tags/10.7.1/back/Core/AcymControl...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/acymailing/tags/10.8.1/back/Core/AcymControl...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/acymailing/trunk/WpInit/Router.php#L11
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/a895e2cf-9eba-4c46-b19f-d008e...
security@wordfence.com