CVE-2026-3614
Published: 16 April 2026
Summary
CVE-2026-3614 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-3614 is a privilege escalation vulnerability in the AcyMailing plugin for WordPress, stemming from a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. It affects all versions from 9.11.0 up to and including 10.8.1. The issue, classified under CWE-862 (Missing Authorization), has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for network-based exploitation with low complexity and low privileges required.
Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to access admin-only controllers, including configuration management. They can enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user account, and then use the generated autologin URL to authenticate as that user, potentially including site administrators. References point to specific code locations in the plugin's Router.php and AcymController.php files across affected versions, highlighting the lack of authorization checks.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-23188
Vulnerability details
The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level…
more
access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is explicitly a privilege escalation issue (CWE-862 missing authorization) allowing authenticated low-privileged users (Subscriber) to bypass checks, access admin controllers, and impersonate higher-privileged accounts (including admins) via autologin manipulation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the missing capability check on the wp_ajax_acymailing_router AJAX handler by enforcing approved authorizations for access to admin-only controllers and functions.
Mitigates privilege escalation by ensuring only minimal authorized privileges are granted, preventing Subscriber-level users from accessing or enabling admin features like autologin.
Provides timely identification, reporting, and correction of the specific flaw in AcyMailing versions 9.11.0 through 10.8.1, eliminating the vulnerability through patching.