Cyber Resilience

CVE-2026-3614

High

Published: 16 April 2026

Published
16 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0043 34.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-3614 is a high-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 34.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-3614 is a privilege escalation vulnerability in the AcyMailing plugin for WordPress, stemming from a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. It affects all versions from 9.11.0 up to and including 10.8.1. The issue, classified under CWE-862 (Missing Authorization), has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for network-based exploitation with low complexity and low privileges required.

Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to access admin-only controllers, including configuration management. They can enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user account, and then use the generated autologin URL to authenticate as that user, potentially including site administrators. References point to specific code locations in the plugin's Router.php and AcymController.php files across affected versions, highlighting the lack of authorization checks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The AcyMailing plugin for WordPress is vulnerable to privilege escalation in all versions From 9.11.0 up to, and including, 10.8.1 due to a missing capability check on the `wp_ajax_acymailing_router` AJAX handler. This makes it possible for authenticated attackers, with Subscriber-level…

more

access and above, to access admin-only controllers (including configuration management), enable the autologin feature, create a malicious newsletter subscriber with an injected `cms_id` pointing to any WordPress user, and then use the autologin URL to authenticate as that user, including administrators.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is explicitly a privilege escalation issue (CWE-862 missing authorization) allowing authenticated low-privileged users (Subscriber) to bypass checks, access admin controllers, and impersonate higher-privileged accounts (including admins) via autologin manipulation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32658Shared CWE-862
CVE-2026-6506Shared CWE-862
CVE-2025-48574Shared CWE-862
CVE-2025-21396Shared CWE-862
CVE-2021-47701Shared CWE-862
CVE-2026-40349Shared CWE-862
CVE-2024-57726Shared CWE-862
CVE-2025-7665Shared CWE-862
CVE-2024-11936Shared CWE-862
CVE-2025-2815Shared CWE-862

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the missing capability check on the wp_ajax_acymailing_router AJAX handler by enforcing approved authorizations for access to admin-only controllers and functions.

prevent

Mitigates privilege escalation by ensuring only minimal authorized privileges are granted, preventing Subscriber-level users from accessing or enabling admin features like autologin.

prevent

Provides timely identification, reporting, and correction of the specific flaw in AcyMailing versions 9.11.0 through 10.8.1, eliminating the vulnerability through patching.

References