Skip to main content

Security problem with AcyMailing

AcyMailing is a popular e-mail marketing and newsletter extension for Joomla in which a major security problem was recently discovered. In August 2023, many Joomla websites running AcyMailing 6,7, and 8 were found to have been hacked.

AcyMailing security update v8.7.0

On 16 August 2023, AcyMailing released security update v8.7.0. That fixed 4 key vulnerabilities:

  • Cross-Site Scripting (XSS) vulnerability, protecting against unauthorised access to campaigns.
  • Unauthorised List Creation, prevents unauthorised list creation.
  • Attachment Deletion vulnerability, securing attachments in email campaigns.
  • Subscriber List Enumeration, security of subscriber data.

These vulnerabilities only affect AcyMailing Enterprise edition and specifically when using a front-end campaigns management menu on a Joomla website. Versions 6.7.0 to 8.6.3 are affected, but these have been patched in version 8.7.0. AcyMailing recommends updating as soon as possible.

Critical security issue v8.5.0 - check websites now

On 25 August 2023, AcyMailing disclosed what the security problem was: a vulnerability that allowed "unauthorised file creation", which allowed malicious PHP files to be placed on the server. This involved using the upload thumbnail function in AcyMailing. By placing PHP code, attackers could potentially gain full access to a Joomla website, including Joomla files, database data and user data. This vulnerability has been fixed with the patch.

Unfortunately, many websites of AcyMailing users have been hacked. This appears to have happened in some cases as early as April and May 2023.
The creators of Acymailing recommend:

  • update to the latest version of AcyMailing as soon as possible
  • check the website:
    • for hack files named "thumbnail_*.php".
    • If such files are found, they should be removed using FTP or SSH.
    • Furthermore, suspicious files containing "$_COOKIE" should then be looked for.
    • It is also recommended to change passwords of databases and FTP/SMTP accounts in case of a hack.



Nijmegen Office
db8 Website Support
Keizer Karelplein 32 q
6511 NH Nijmegen
The Netherlands

+31 85 301 48 28
support at db8 dot nl
+31 6 44 214 500 (urgent)
Opening hours

By appointment
Monday to Friday
09:00 - 17:00 (5pm)
(Time zone: Central European Time)

Acquisition is
not appreciated

© All rights reserved.