WP-Safety

AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress Security & Risk Analysis

wordpress.org/plugins/acymailing

Boost audience engagement & lead generation with AcyMailing, an all-in-one newsletter automation tool for your marketing success.

7K active installs v10.8.2 PHP 7.4+ WP 5.0+ Updated Mar 13, 2026
automationcontact-listdrag-and-dropemail-marketingnewsletter
96
A · Safe
CVEs total4
Unpatched0
Last CVEDec 30, 2024
Download
Safety Verdict

Is AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress Safe to Use in 2026?

Generally Safe

Score 96/100

AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

4 known CVEsLast CVE: Dec 30, 2024Updated 21d ago
Risk Assessment

Acymailing v10.8.2 presents a mixed security posture. While it demonstrates good practices in using prepared statements for SQL queries and has a significant number of output escapements, several concerning indicators are present. The static analysis reveals a notable attack surface with an unprotected AJAX handler, a potential entry point for unauthorized actions. The presence of dangerous functions like `unserialize`, `preg_replace` with the `/e` modifier, and `popen` suggests areas where careful input validation and sanitization are critical to prevent code execution vulnerabilities. The taint analysis, though reporting no critical or high severity flows, shows that all analyzed flows had unsanitized paths, indicating a need for more robust input handling across the board.

The plugin's vulnerability history is a significant concern, with a total of four known CVEs, including one high and three medium severity vulnerabilities. The common vulnerability types observed (Unrestricted Upload, Cross-Site Scripting, Open Redirect) are often exploited through unprotected entry points or improper input sanitization, reinforcing the findings from the static analysis. The fact that these vulnerabilities have been patched (indicated by 0 currently unpatched CVEs) is a positive sign, but the recurring nature of certain vulnerability types suggests a persistent weakness in how external input is handled.

Overall, Acymailing v10.8.2 has areas of strength, particularly in its SQL query handling and extensive output escaping. However, the unprotected AJAX handler, the presence of dangerous functions, unsanitized taint flows, and a history of medium-to-high severity vulnerabilities necessitate careful consideration and diligent patching by users.

Key Concerns

  • Unprotected AJAX handler found
  • Dangerous functions present (unserialize, preg_replace(/e), popen)
  • All analyzed taint flows had unsanitized paths
  • 1 High severity CVE in history
  • 3 Medium severity CVEs in history
  • Low percentage of properly escaped outputs (19%)
  • Only 1 nonce check for entire plugin
  • Only 1 capability check for entire plugin
Vulnerabilities
4

AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2021
2021
1 CVE in 2023
2023
2 CVEs in 2024
2024
Patched Has unpatched

Severity Breakdown

High
1
Medium
3

4 total CVEs

CVE-2025-24617medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress <= 9.11.0 - Reflected Cross-Site Scripting

Dec 30, 2024 Patched in 9.11.1 (53d)
CVE-2024-7384high · 7.5Unrestricted Upload of File with Dangerous Type

AcyMailing <= 9.7.2 - Authenticated (Subscriber+) Arbitrary File Upload via acym_extractArchive Function

Aug 21, 2024 Patched in 9.8.0 (1d)
CVE-2023-41867medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

AcyMailing SMTP Newsletter <= 8.6.2 - Reflected Cross-Site Scripting

Sep 5, 2023 Patched in 8.6.3 (140d)
CVE-2021-24288medium · 6.1URL Redirection to Untrusted Site ('Open Redirect')

AcyMailing SMTP Newsletter < 7.5.0 - Open Redirect

Apr 29, 2021 Patched in 7.5.0 (999d)
Code Analysis
Analyzed Mar 16, 2026

AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress Code Analysis

Dangerous Functions
16
Raw SQL Queries
1
11 prepared
Unescaped Output
3374
803 escaped
Nonce Checks
1
Capability Checks
1
File Operations
100
External Requests
3
Bundled Libraries
4

Dangerous Functions Found

unserialize$image = unserialize(file_get_contents('https://vimeo.com/api/v2/video/'.$vimeoMatch[5].'.php'));back\Controllers\Mails\Edition.php:747
unserialize$groups = unserialize($groups);back\Core\wordpress\user.php:36
unserialize$settings = unserialize($customField->post_content);back\dynamics\post\plugin.php:74
unserialize$bouncedetails = unserialize($bouncedetails);back\helpers\BounceHelper.php:820
unserialize$line = @unserialize($line);back\helpers\ExportHelper.php:205
unserialize$oneTemplateStyles = unserialize($oneTemplate->styles);back\helpers\MigrationHelper.php:365
unserialize$options = unserialize($value);back\helpers\MigrationHelper.php:600
unserialize$templateStyles = unserialize($oneMail->styles);back\helpers\MigrationHelper.php:716
unserialize$attachments = unserialize($oneMail->attach);back\helpers\MigrationHelper.php:753
unserialize$actionUser = unserialize($oneRule->action_user);back\helpers\MigrationHelper.php:990
unserialize$actionMessage = unserialize($oneRule->action_message);back\helpers\MigrationHelper.php:991
unserialize'executed_on' => acym_escapeDB(json_encode(array_keys(unserialize($oneRule->executed_on)))),back\helpers\MigrationHelper.php:1018
preg_replace(/e)preg_replace( '#<video[^>]*youtube\.com/eback\helpers\PluginHelper.php:195
unserialize$hash = @unserialize($hash);back\helpers\PluginHelper.php:223
popen$mail = @popen($sendmail, 'w');back\Libraries\Mailer\Mailer.php:1774
popen$mail = @popen($sendmail, 'w');back\Libraries\Mailer\Mailer.php:1800

Bundled Libraries

Select2TinyMCEGuzzlePHPMailer

SQL Query Safety

92% prepared12 total queries

Output Escaping

19% escaped4177 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

3 flows3 with unsanitized paths
<Edition> (back\Controllers\Mails\Edition.php:0)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress Attack Surface

Entry Points2
Unprotected1

AJAX Handlers 1

authwp_ajax_acymailing_routerWpInit\Router.php:11

Shortcodes 1

[acymailing_form_shortcode] WpInit\Forms.php:51
WordPress Hooks 46
actionwp_headback\Core\wordpress\form.php:83
actionadmin_headback\Core\wordpress\form.php:84
actionacym_headback\Core\wordpress\form.php:85
filteruser_can_richeditback\Core\wordpress\miscellaneous.php:28
filtermce_external_pluginsback\helpers\EditorHelper.php:186
filtermce_buttonsback\helpers\EditorHelper.php:187
filtermce_buttons_2back\helpers\EditorHelper.php:188
actionmedia_buttonsback\helpers\EditorHelper.php:189
actionwp_initialize_siteindex.php:42
actionplugins_loadedindex.php:45
actionwidgets_initindex.php:48
actioninitindex.php:51
filterwpml_show_admin_language_switcherindex.php:53
actionfl_builder_after_render_moduleWpInit\Beaver.php:9
actionfl_builder_after_render_ajax_layout_htmlWpInit\Beaver.php:10
filterwp_privacy_personal_data_exportersWpInit\Data.php:12
actionadmin_footerWpInit\Deactivate.php:10
actionelementor/editor/before_enqueue_scriptsWpInit\Elementor.php:9
actionelementor/widgets/registerWpInit\Elementor.php:10
actionelementor/elements/categories_registeredWpInit\Elementor.php:11
actionelementor_pro/initWpInit\Elementor.php:12
actionwp_headWpInit\Forms.php:17
actionwp_footerWpInit\Forms.php:18
filterblock_categories_allWpInit\Gutenberg.php:17
actionadmin_menuWpInit\Menu.php:14
filterwp_mailWpInit\OverrideEmail.php:11
actionphpmailer_initWpInit\OverrideEmail.php:99
filterpost_smtp_do_send_emailWpInit\OverrideEmail.php:100
actionwp_loadedWpInit\Router.php:13
actionadmin_print_scripts-toplevel_page_acymailing_dashboardWpInit\Router.php:60
actionadmin_print_styles-toplevel_page_acymailing_dashboardWpInit\Router.php:61
actionwp_enqueue_mediaWpInit\Router.php:62
actioninitWpInit\Router.php:63
filterallowed_redirect_hostsWpInit\Security.php:10
filterpre_set_site_transient_update_pluginsWpInit\Update.php:16
filtersite_transient_update_pluginsWpInit\Update.php:17
filterupgrader_package_optionsWpInit\Update.php:18
actionupgrader_process_completeWpInit\Update.php:19
actionadmin_noticesWpInit\Update.php:58
actionregister_formWpInit\UserSync.php:12
actionedit_user_profileWpInit\UserSync.php:13
actionshow_user_profileWpInit\UserSync.php:14
actionuser_registerWpInit\UserSync.php:16
actionprofile_updateWpInit\UserSync.php:17
actiondelete_userWpInit\UserSync.php:18
filterrocket_exclude_static_dynamic_resourcesWpInit\WpRocket.php:9
Maintenance & Trust

AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 13, 2026
PHP min version7.4
Downloads200K

Community Trust

Rating96/100
Number of ratings157
Active installs7K
Alternatives

AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress Alternatives

MailPoet – Newsletters, Email Marketing, and Automation

MailPoet – Newsletters, Email Marketing, and Automation

mailpoet

A
98

Send beautiful newsletters from WordPress. Collect subscribers with signup forms, automate your emails for WooCommerce, blog post notifications & more

500K 3 CVEs
Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress

email-subscribers

B
76

Add subscription forms on the website and send newsletters & automatically send post notification about new blog posts once it gets published.

60K 42 CVEs
Brevo for WooCommerce

Brevo for WooCommerce

woocommerce-sendinblue-newsletter-subscription

A
93

All-in-one WooCommerce email marketing, automation, SMS, and CRM by Brevo. Grow your store with powerful marketing tools.

30K 3 CVEs
FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce

FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce

wp-marketing-automations

B
82

Recover lost revenue with Cart Abandonment Recovery for WooCommerce. Increase retention with Post Purchase Follow-Up Emails.

20K 11 CVEs
weMail: Email Marketing, Email Automation, Newsletters, Subscribers & eCommerce Email Optins

weMail: Email Marketing, Email Automation, Newsletters, Subscribers & eCommerce Email Optins

wemail

A
95

Send email newsletters, automate email marketing with email automation, manage subscribers, eCommerce emails, post notifications & optins with ease

10K 6 CVEs
Developer Profile

AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress Developer Profile

AcyMailing Newsletter Team

20 plugins · 8K total installs

79
trust score
Avg Security Score
100/100
Avg Patch Time
298 days
View full developer profile
Detection Fingerprints

How We Detect AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/acymailing/front/css/acymailing.css/wp-content/plugins/acymailing/front/css/bootstrap.css/wp-content/plugins/acymailing/front/css/bootstrap-theme.css/wp-content/plugins/acymailing/front/css/custom.css/wp-content/plugins/acymailing/front/css/templates.css/wp-content/plugins/acymailing/front/js/jquery.form.min.js/wp-content/plugins/acymailing/front/js/acymailing_frontend.js/wp-content/plugins/acymailing/front/js/acymailing_modal.js+2 more
Script Paths
/wp-content/plugins/acymailing/front/js/jquery.form.min.js/wp-content/plugins/acymailing/front/js/acymailing_frontend.js/wp-content/plugins/acymailing/front/js/acymailing_modal.js/wp-content/plugins/acymailing/front/js/template.js/wp-content/plugins/acymailing/front/js/chart.min.js
Version Parameters
acymailing/front/css/acymailing.css?ver=acymailing/front/css/bootstrap.css?ver=acymailing/front/css/bootstrap-theme.css?ver=acymailing/front/css/custom.css?ver=acymailing/front/css/templates.css?ver=acymailing/front/js/jquery.form.min.js?ver=acymailing/front/js/acymailing_frontend.js?ver=acymailing/front/js/acymailing_modal.js?ver=acymailing/front/js/template.js?ver=acymailing/front/js/chart.min.js?ver=

HTML / DOM Fingerprints

CSS Classes
acymailing_fieldacymailing_subscription_formacymailing_module_subscribeacym_moduleacym_form
HTML Comments
<!-- BEGIN: MODULE subscribe --><!-- END: MODULE subscribe --><!-- BEGIN: MODULE acym_module --><!-- END: MODULE acym_module -->+2 more
Data Attributes
data-acymailing-targetdata-acymailing-modal-opendata-acymailing-modal-closedata-acymailing-template
JS Globals
ACYM_AJAX_URLACYM_TOGGLE_URLACYM_IS_ADMINacymailing_options
REST Endpoints
/wp-json/acymailing/v1/forms/wp-json/acymailing/v1/subscribers
Shortcode Output
[acymailing_form][acymailing_signup][acymailing_profile][acymailing_archive]
FAQ

Frequently Asked Questions about AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress