Stored Cross-Site Scripting in AcyMailing Plugin for WordPress
CVE-2026-12170
6.4MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-12170?
The AcyMailing plugin for WordPress is susceptible to Stored Cross-Site Scripting (XSS) attacks stemming from inadequate sanitization of the 'alignment' attribute. This vulnerability affects all versions up to and including 10.10.2, allowing authenticated users with at least contributor-level access to insert arbitrary scripts into web pages. When other users visit these compromised pages, the injected scripts are executed, potentially compromising site security and user data.
Affected Version(s)
AcyMailing β An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress 0 <= 10.10.2