| CVE-2026-3614 | AcyMailing 9.11.0 - 10.8.1 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation | acyba | AcyMailing – An Ultimate Newsletter Plugin and Marketing Automation Solution for WordPress | High | 8.8 | 2026-04-16 05:29:54 | Deep Dive |
| CVE-2025-14339 | weMail <= 2.0.7 - Missing Authorization to Unauthenticated Form Deletion | wedevs | weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce | Medium | 6.5 | 2026-02-21 09:28:00 | Deep Dive |
| CVE-2026-1258 | Mail Mint <= 1.19.2 - Authenticated (Administrator+) SQL Injection via Multiple API Endpoints | getwpfunnels | Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails | Medium | 4.9 | 2026-02-14 08:26:48 | Deep Dive |
| CVE-2026-1447 | Mail Mint <= 1.19.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting | getwpfunnels | Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails | Medium | 5.4 | 2026-02-03 06:38:06 | Deep Dive |
| CVE-2025-14348 | weMail <= 2.0.7 - Insufficient Authorization via x-wemail-user Header to Sensitive Information Disclosure | wedevs | weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce | Medium | 5.3 | 2026-01-20 04:35:46 | Deep Dive |
| CVE-2025-62873 | WordPress WP Flashy Marketing Automation plugin <= 2.0.8 - Cross Site Request Forgery (CSRF) vulnerability | Flashyapp | WP Flashy Marketing Automation | - | - | 2025-12-09 14:52:25 | Deep Dive |
| CVE-2025-67599 | WordPress WebToffee eCommerce Marketing Automation plugin <= 2.1.1 - Broken Access Control vulnerability | WebToffee | WebToffee eCommerce Marketing Automation | - | - | 2025-12-09 14:14:19 | Deep Dive |
| CVE-2025-12935 | FluentCRM - Marketing Automation For WordPress <= 2.9.84 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'fluentcrm_content' Shortcode | techjewel | FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution | Medium | 6.4 | 2025-11-21 12:28:08 | Deep Dive |
| CVE-2025-12750 | Groundhogg <= 4.2.6.1 - Authenticated (Admin+) SQL Injection | trainingbusinesspros | Groundhogg — CRM, Newsletters, and Marketing Automation | Medium | 4.9 | 2025-11-21 09:27:03 | Deep Dive |
| CVE-2025-11967 | Mail Mint <= 1.18.10 - Authenticated (Admin+) Arbitrary File Upload | getwpfunnels | Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails | High | 7.2 | 2025-11-08 09:28:12 | Deep Dive |
| CVE-2025-12469 | FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Email Sending | amans2k | FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce | Medium | 4.3 | 2025-11-05 09:27:40 | Deep Dive |
| CVE-2025-12468 | FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce <= 3.6.4.1 - Unauthenticated Sensitive Information Exposure | amans2k | FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce | Medium | 5.3 | 2025-11-05 09:27:39 | Deep Dive |
| CVE-2025-11975 | FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) <= 1.1.23.0 - Missing Authorization to Authenticated (Subscriber+) Sync Rule Creation | fusewp | FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) | Medium | 4.3 | 2025-10-31 02:26:04 | Deep Dive |
| CVE-2025-11976 | FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) <= 1.1.23.0 - Cross-Site Request Forgery to Sync Rule Creation | fusewp | FuseWP – WordPress User Sync to Email List & Marketing Automation (Mailchimp, Constant Contact, ActiveCampaign etc.) | Medium | 4.3 | 2025-10-25 06:49:25 | Deep Dive |
| CVE-2025-7654 | Multiple Plugins By FunnelKit <= (Various Versions) - Authenticated (Contributor+) Sensitive Information Exposure to Privilege Escalation via Woofunnel Library | amans2k | FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce | High | 8.8 | 2025-08-19 07:26:28 | Deep Dive |
| CVE-2025-1562 | Recover WooCommerce Cart Abandonment, Newsletter, Email Marketing, Marketing Automation By FunnelKit <= 3.5.3 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation | amans2k | FunnelKit Automations – Email Marketing Automation and CRM for WordPress & WooCommerce | Critical | 9.8 | 2025-06-18 07:22:44 | Deep Dive |
| CVE-2025-4206 | WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg <= 4.1.1.2 - Authenticated (Administrator+) Arbitrary File Deletion | trainingbusinesspros | Groundhogg — CRM, Newsletters, and Marketing Automation | High | 7.2 | 2025-05-09 11:11:19 | Deep Dive |
| CVE-2025-32608 | WordPress Movylo Marketing Automation Plugin <= 2.0.7 - Cross Site Scripting (XSS) vulnerability | Movylo | Movylo Marketing Automation | High | 7.1 | 2025-04-17 15:47:18 | Deep Dive |
| CVE-2025-39513 | WordPress ActiveDEMAND plugin <= 0.2.46 - Broken Access Control vulnerability | ActiveDEMAND Online Agency Marketing Automation | ActiveDEMAND | Medium | 5.3 | 2025-04-16 12:45:54 | Deep Dive |
| CVE-2025-1267 | Groundhogg <= 3.7.4.1 - Authenticated (Administrator+) Stored Cross-Site Scripting via label Parameter | trainingbusinesspros | Groundhogg — CRM, Newsletters, and Marketing Automation | Medium | 5.5 | 2025-04-01 06:52:05 | Deep Dive |