[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fswpG1TadAcGoifmT4pdd56g4L1ug9ftuj1nldKxgjg0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-5200","acymailing-missing-authorization-to-authenticated-subscriber-privilege-escalation-via-acymailingrouter","AcyMailing \u003C= 10.8.2 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation via 'acymailing_router'","The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 10.8.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to modify privileged AcyMailing configuration, export subscriber secret keys, and chain these actions into administrator account takeover when a target administrator email address is known.","acymailing",null,"\u003C=10.8.2","10.9.0","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Missing Authorization","2026-05-19 18:19:44","2026-05-20 07:21:10",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Ff8470662-2247-4159-9dac-f13677c94bdf?source=api-prod",1,[22,23,24,25,26,27,28,29],"WpInit\u002FCron.php","WpInit\u002FRouter.php","back\u002FClasses\u002FAutomationClass.php","back\u002FClasses\u002FCampaignClass.php","back\u002FClasses\u002FFormClass.php","back\u002FClasses\u002FPluginClass.php","back\u002FClasses\u002FQueueClass.php","back\u002FClasses\u002FUserClass.php","researched",false,3,"This research plan outlines the steps required to demonstrate privilege escalation and account takeover in AcyMailing versions 10.8.2 and below.\n\n### 1. Vulnerability Summary\nThe `acymailing` plugin registers a centralized AJAX router, `acymailing_router`, which fails to implement any capability checks (e.g., `current_user_can()`) or nonce verification. While the router calls `auth_redirect()`, this only ensures the user is authenticated (at any level, including Subscriber) but does not verify they have administrative permissions. This allows a low-privileged user to invoke high-privileged controller methods to modify configuration or export sensitive user data, including \"secret keys\" used for automated login.\n\n### 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **Action:** `acymailing_router`\n- **Vulnerable Parameters:** `ctrl` (specifies the controller) and `task` (specifies the method).\n- **Authentication:** Required (Subscriber or higher).\n- **Preconditions:** A known target administrator's email address or user ID.\n\n### 3. Code Flow\n1. **Entry Point:** The `AcyMailing\\WpInit\\Router::__construct` registers `wp_ajax_acymailing_router` pointing to the `router` method.\n2. **Authorization Failure:** Inside `AcyMailing\\WpInit\\Router::router(bool $front = false)`:\n   - Line 158: `if (!$front) { auth_redirect(); }` is called. This only checks if the user is logged in.\n   - The code then determines the controller via `$ctrl = acym_getVar('cmd', 'ctrl', '');` (Line 183).\n   - Line 222: The controller class is dynamically instantiated: `$controllerNamespace = 'AcyMailing\\\\'.$subNamespace.'Controllers\\\\'.ucfirst($ctrl).'Controller';`.\n   - The code proceeds to invoke the controller without checking if the current user should have access to the `back` (admin) namespace controllers.\n3. **Sink:** Methods within `AcyMailing\\Controllers\\UsersController` or `AcyMailing\\Controllers\\ConfigurationController` are executed, allowing data export or setting modification.\n\n### 4. Nonce Acquisition Strategy\nThe `router` method in `WpInit\u002FRouter.php` does **not** call `check_ajax_referer` or `wp_verify_nonce`. Therefore, the exploitation of this specific endpoint does not require a nonce.\n\n*Note: If specific controller tasks (invoked via the router) happen to check for a nonce independently, it can be found in the global JS variable `acym_helper` or `acymailing` localized by the plugin on admin pages accessible to subscribers (like the dashboard if enabled).*\n\n### 5. Exploitation Strategy\n\n#### Step 1: Export Admin Secret Key\nThe attacker will use the `UsersController` to export user data. AcyMailing allows exporting user lists to CSV, which includes the `key` field.\n\n- **Request Type:** POST\n- **URL:** `http:\u002F\u002Fvulnerable-site.com\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Body (URL-encoded):**\n  ```\n  action=acymailing_router\n  &ctrl=users\n  &task=export\n  &export_type=csv\n  &columns[]=email\n  &columns[]=key\n  &columns[]=id\n  ```\n- **Expected Response:** A CSV file or a direct download link containing the email addresses and the secret `key` for all users, including the administrator.\n\n#### Step 2: Account Takeover via Autologin\nOnce the administrator's `key` and `id` (or email) are obtained, the attacker uses the `autologin` feature registered in `Router.php`.\n\n- **Target URL:** `http:\u002F\u002Fvulnerable-site.com\u002Findex.php?acy_user=[ADMIN_ID]&acy_key=[SECRET_KEY]`\n- **Mechanism:** The `Router::autologin` method (invoked on the `init` hook) checks these parameters and authenticates the session as the user associated with that key.\n\n### 6. Test Data Setup\n1. **Users:**\n   - Create an Administrator user (e.g., `admin@example.com`).\n   - Create a Subscriber user (e.g., `attacker@example.com`).\n2. **Plugin State:** Ensure AcyMailing 10.8.2 is installed and activated.\n3. **Data:** Ensure the AcyMailing user table contains the administrator's record (the plugin usually syncs WP users to its own table automatically).\n\n### 7. Expected Results\n- The AJAX request to `ctrl=users&task=export` should return a 200 OK response with the CSV content, despite the requester being a Subscriber.\n- The CSV content must contain a column for `key`.\n- Navigating to the `autologin` URL should result in the attacker being redirected to the dashboard as the Administrator.\n\n### 8. Verification Steps\n1. **Check Role:** After the `autologin` redirect, use `wp user get $(wp user self --field=ID) --field=roles` to verify the current session is an `administrator`.\n2. **Verify Configuration Access:** Attempt to access the AcyMailing configuration page via the UI to confirm full administrative access.\n3. **Database Check:** Confirm the `key` used matches the `key` in the `{prefix}_acym_user` table:\n   `wp db query \"SELECT email, \\`key\\` FROM wp_acym_user WHERE cms_id = 1\"`\n\n### 9. Alternative Approaches\nIf the `export` task is restricted within the controller, attempt to use the `UsersController::edit` task to read the admin's profile:\n- **Request:** `action=acymailing_router&ctrl=users&task=edit&id=[ADMIN_ID]`\n- **Payload:** Look for the secret key in the HTML response\u002Fform fields.\n\nIf configuration modification is the goal:\n- **Task:** `ctrl=configuration&task=save`\n- **Payload:** `&config[sender_email]=attacker@example.com&config[allow_unsub]=0` (demonstrating unauthorized config modification).","The AcyMailing plugin (\u003C= 10.8.2) fails to perform adequate authorization checks within its centralized AJAX router, 'acymailing_router'. While the router ensures a user is authenticated, it does not verify administrative capabilities, allowing low-privileged users (like Subscribers) to execute administrative controller methods. This can lead to sensitive data exposure, including administrator 'secret keys' used for automated login, resulting in full account takeover.","\u002F\u002F AcyMailing\u002FWpInit\u002FRouter.php:157\n    public function router(bool $front = false): void\n    {\n        displayFreeTrialMessage();\n\n\n        if (!$front) {\n            auth_redirect();\n        }\n\n\u002F\u002F ... \n\n\u002F\u002F AcyMailing\u002FWpInit\u002FRouter.php:222\n        $this->deactivateHookAdminFooter();\n        $subNamespace = $front ? 'Front' : '';\n        $controllerNamespace = 'AcyMailing\\\\'.$subNamespace.'Controllers\\\\'.ucfirst($ctrl).'Controller';\n\n        if (!class_exists($controllerNamespace)) {\n            echo acym_translation('ACYM_PAGE_NOT_FOUND').': '.$ctrl;\n\n            return;\n        }\n\n        $controller = new $controllerNamespace();\n        $controller->call($task);","--- a\u002Fback\u002FWpInit\u002FRouter.php\n+++ b\u002Fback\u002FWpInit\u002FRouter.php\n@@ -158,6 +158,10 @@\n \n         if (!$front) {\n             auth_redirect();\n+\n+            if (!acym_isAdmin()) {\n+                wp_die(acym_translation('ACYM_NOT_ALLOWED'));\n+            }\n         }\n \n         if (file_exists(ACYM_FOLDER.'update.php')) {","1. Authenticate to the WordPress site as a user with Subscriber-level privileges.\n2. Submit a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' set to 'acymailing_router'.\n3. Configure the 'ctrl' parameter to 'users' and the 'task' parameter to 'export' to trigger the user data export functionality.\n4. Include the 'columns[]' parameter set to 'email' and 'key' (and 'id') to ensure the secret autologin keys are included in the generated CSV.\n5. Download the CSV output and identify the administrator's account ID and secret key.\n6. Navigate to the site's autologin URL (e.g., \u002F?acy_user=[ADMIN_ID]&acy_key=[SECRET_KEY]) to gain full administrative access to the site.","gemini-3-flash-preview","2026-05-20 16:30:03","2026-05-20 16:30:59",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","10.8.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facymailing\u002Ftags\u002F10.8.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facymailing.10.8.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facymailing\u002Ftags\u002F10.9.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Facymailing.10.9.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Facymailing\u002Ftags"]