CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24617 – WordPress AcyMailing Plugin < 9.11.1 - Reflected Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-24617
30 Dec 2024 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in AcyMailing Newsletter Team AcyMailing SMTP Newsletter allows Reflected XSS. This issue affects AcyMailing SMTP Newsletter: from n/a through n/a. The AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 9.11.0 due to insufficient input sanitization and output escapi... • https://patchstack.com/database/wordpress/plugin/acymailing/vulnerability/wordpress-acymailing-plugin-9-11-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2023-41867 – WordPress AcyMailing SMTP Newsletter Plugin <= 8.6.2 is vulnerable to Cross Site Scripting (XSS)
https://notcve.org/view.php?id=CVE-2023-41867
05 Sep 2023 — Unauth. Reflected Cross-Site Scripting (XSS) vulnerability in AcyMailing Newsletter Team AcyMailing plugin <= 8.6.2 versions. Vulnerabilidad de Cross-Site Scripting (XSS) Reflejada No Autenticada en el complemento AcyMailing Newsletter Team AcyMailing en versiones <= 8.6.2. The AcyMailing SMTP Newsletter plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 8.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthe... • https://patchstack.com/database/vulnerability/acymailing/wordpress-acymailing-plugin-8-6-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28733 – Stored XSS affecting the AcyMailing plugin for Joomla
https://notcve.org/view.php?id=CVE-2023-28733
30 Mar 2023 — AnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign's creation on front-office. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0. AnyMailing Joomla Plugin is vulnerable to stored cross site scripting (XSS) in templates and emails of AcyMailing, exploitable without authentication when access is granted to the campaign's creation on front-office... • https://www.acymailing.com/change-log • CWE-20: Improper Input Validation CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-116: Improper Encoding or Escaping of Output •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-28732 – Missing access control affecting the AcyMailing plugin for Joomla
https://notcve.org/view.php?id=CVE-2023-28732
30 Mar 2023 — Missing access control in AnyMailing Joomla Plugin allows to list and access files containing sensitive information from the plugin itself and access to system files via path traversal, when being granted access to the campaign's creation on front-office. This issue affects AnyMailing Joomla Plugin in versions below 8.3.0. Missing access control in AnyMailing Joomla Plugin allows to list and access files containing sensitive information from the plugin itself and access to system files via path traversal, w... • https://github.com/acyba/acymailing/releases/tag/v8.3.0 • CWE-20: Improper Input Validation CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-28731 – Unauthenticated RCE affecting the AcyMailing plugin for Joomla
https://notcve.org/view.php?id=CVE-2023-28731
30 Mar 2023 — AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. This issue affects AnyMailing Joomla Plugin Enterprise in versions below 8.3.0. AnyMailing Joomla Plugin is vulnerable to unauthenticated remote code execution, when being granted access to the campaign's creation on front-office due to unrestricted file upload allowing PHP code to be injected. ... • https://www.acymailing.com/change-log • CWE-20: Improper Input Validation CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24288 – AcyMailing < 7.5.0 - Unauthenticated Open Redirect
https://notcve.org/view.php?id=CVE-2021-24288
29 Apr 2021 — When subscribing using AcyMailing, the 'redirect' parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim. Cuando se suscriben usando AcyMailing, el parámetro "redirect" no es saneado apropiadamente. Al cambiar la petición de POST a GET, un atacante puede diseñar un enlace que contenga una página de destino potencialmente maliciosa y enviársela a la víctima When subscribing using Acy... • https://wpscan.com/vulnerability/56628862-1687-4862-9ed4-145d8dfbca97 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10934
https://notcve.org/view.php?id=CVE-2020-10934
24 Mar 2020 — Acyba AcyMailing before 6.9.2 mishandles file uploads by admins. Acyba AcyMailing versiones anteriores a la versión 6.9.2, maneja inapropiadamente archivos cargados por administradores. • http://jvn.jp/en/jp/JVN56890693/index.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2015-7338
https://notcve.org/view.php?id=CVE-2015-7338
09 Mar 2020 — SQL Injection exists in AcyMailing Joomla Component before 4.9.5 via exportgeolocorder in a geolocation_longitude request to index.php. Se presenta una Inyección SQL en AcyMailing Joomla Component versiones anteriores a 4.9.5, por medio de exportgeolocorder en una petición de la función geolocation_longitude en el archivo index.php. • https://labs.integrity.pt/advisories/cve-2015-7338 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 3%CPEs: 1EXPL: 2CVE-2018-9107 – Joomla! Component Acymailing Starter 5.9.5 - CSV Macro Injection
https://notcve.org/view.php?id=CVE-2018-9107
28 Mar 2018 — CSV Injection (aka Excel Macro Injection or Formula Injection) exists in the export feature in the Acyba AcyMailing extension before 5.9.6 for Joomla! via a value that is mishandled in a CSV export. Existe inyección CSV (también conocida como Excel Macro Injection o Formula Injection) en la funcionalidad de exportación en la extensión Acyba AcyMailing , en versiones anteriores a la 5.9.6, para Joomla! mediante un valor gestionado de manera incorrecta en una exportación CSV. Joomla Acymailing Starter compone... • https://packetstorm.news/files/id/146993 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •