AcyMailing Privilege Escalation Vulnerability in WordPress

A vulnerability allowing privilege escalation has been identified in the AcyMailing plugin for WordPress, affecting versions 9.11.0 prior to 10.8.1. The issue arises from a missing capability check on the 'wp_ajax_acymailing_router' AJAX handler, which enables authenticated attackers with Subscriber-level access and above to access admin-only controllers, including configuration management. Exploitation of this vulnerability allows the attacker to enable the autologin feature, create a malicious newsletter subscriber with an injected 'cms_id' pointing to any WordPress user, and use the autologin URL to authenticate as that user, potentially including administrators.

Impact

Exploitation of this vulnerability could lead to unauthorized access to admin-only features and controllers, allowing attackers to manipulate configurations and impersonate other users, including administrators, through the autologin feature.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'wp_ajax_acymailing_router' AJAX handler without the necessary capability check. This can be done by injecting a 'cms_id' into a newsletter subscriber profile, which can then be used to authenticate as the corresponding WordPress user via the autologin URL.

Remediation

Users are advised to update the AcyMailing plugin to version 10.8.2 or a newer patched version.