CVE-2026-57740
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-57740, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: Patchstack

Description

Missing Authorization vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter acymailing allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AcyMailing SMTP Newsletter: from n/a through <= 10.11.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
acymailing acymailing_smtp_newsletter to 10.11.1 (inc)
acymailing acymailing_smtp_newsletter From 10.0.0 (inc) to 10.11.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-57740 is a Missing Authorization vulnerability in the AcyMailing SMTP Newsletter plugin for WordPress, affecting versions up to 10.11.1.

This vulnerability is a Broken Access Control issue that allows unprivileged users, such as Subscribers, to perform actions that normally require higher privileges due to missing authorization, authentication, or nonce token checks.

Impact Analysis

The vulnerability can be exploited by attackers to perform unauthorized actions within the AcyMailing SMTP Newsletter plugin.

This could lead to attackers conducting mass campaigns or other malicious activities by leveraging higher privileges they should not have.

The CVSS score of 7.1 indicates a moderate level of danger, with potential impacts including integrity loss and high availability impact.

Detection Guidance

This vulnerability involves missing authorization in the AcyMailing SMTP Newsletter Plugin, allowing unprivileged users to perform higher-privileged actions. Detection would involve monitoring for unauthorized access attempts or unusual privilege escalations related to the plugin.

Since no official patch or specific detection commands are provided, it is recommended to check plugin versions to identify if the vulnerable version (10.11.1 or below) is in use.

A possible command to check the installed plugin version on a WordPress site via command line is:

  • wp plugin list --status=active | grep acymailing

Additionally, monitoring web server logs for suspicious requests targeting the AcyMailing SMTP Newsletter endpoints or unusual POST requests from low-privileged users could help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include updating the AcyMailing SMTP Newsletter Plugin to a version higher than 10.11.1 once available.

Since no official patch is currently available, applying the mitigation rule provided by Patchstack to block attacks is advised.

Other recommended actions are to seek assistance from your hosting provider or a developer to implement temporary access control measures.

Monitoring and restricting user privileges to prevent unprivileged users from performing higher-privileged actions can also reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57740. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart