Description
The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map' API endpoints in all versions up to, and including, 1.19.2 . This is due to insufficient escaping on the user supplied 'order-by', 'order-type', and 'selectedCourses' parameters and lack of sufficient preparation on the existing SQL queries. This makes it possible for authenticated attackers, with administrator level access and above, to append additional SQL queries into already existing queries.
Published: 2026-02-14
Score: 4.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized database access via blind SQL injection
Action: Patch
AI Analysis

Impact

The Mail Mint plugin for WordPress includes multiple API endpoints that fail to properly escape user‑supplied parameters such as 'order-by', 'order-type', and 'selectedCourses'. This omission allows an authenticated user with administrator or higher privileges to inject and execute arbitrary SQL statements in a blind context, enabling attackers to read or modify database content, potentially exposing sensitive subscriber data or tampering with campaign configurations. The vulnerability does not grant code execution but compromises data integrity and confidentiality with significant operational impact.

Affected Systems

All releases of the Mail Mint WordPress plugin up to and including version 1.19.2 are affected. The plugin, maintained by getwpfunnels, is used for email marketing, newsletters, and automation within the WordPress ecosystem. Only the API endpoints listed in the description – 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map' – are vulnerable; the rest of the plugin remains unchanged.

Risk and Exploitability

The CVSS v3.1 score is 4.9, reflecting moderate severity, and the EPSS probability is reported as less than 1%, indicating a low likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Because the attack requires administrator‑level credentials, the primary vector is remote or local access via the WordPress admin interface or the exposed API. An attacker who can authenticate as an admin can send crafted requests that append malicious SQL to existing queries, potentially extracting or corrupting database data. While the exploitation probability is low, any environment that assigns broad admin privileges to users presents a risk that should be mitigated promptly.

Generated by OpenCVE AI on April 15, 2026 at 20:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch for Mail Mint that replaces vulnerable queries with parameterized statements and correctly sanitizes user input.
  • Implement strict input validation on the 'order-by', 'order-type', and 'selectedCourses' parameters to allow only expected values.
  • Limit administrator-level access to the WordPress admin and API endpoints to trusted users, using role‑based access controls.
  • Configure a web application firewall or server rule set to block requests containing SQL injection patterns targeting the affected endpoints.

Generated by OpenCVE AI on April 15, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Getwpfunnels
Getwpfunnels mail Mint – Newsletters, Email Marketing, Automation, Woocommerce Emails, Post Notification, And More
Wordpress
Wordpress wordpress
Vendors & Products Getwpfunnels
Getwpfunnels mail Mint – Newsletters, Email Marketing, Automation, Woocommerce Emails, Post Notification, And More
Wordpress
Wordpress wordpress

Sat, 14 Feb 2026 08:30:00 +0000

Type Values Removed Values Added
Description The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map' API endpoints in all versions up to, and including, 1.19.2 . This is due to insufficient escaping on the user supplied 'order-by', 'order-type', and 'selectedCourses' parameters and lack of sufficient preparation on the existing SQL queries. This makes it possible for authenticated attackers, with administrator level access and above, to append additional SQL queries into already existing queries.
Title Mail Mint <= 1.19.2 - Authenticated (Administrator+) SQL Injection via Multiple API Endpoints
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 4.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Getwpfunnels Mail Mint – Newsletters, Email Marketing, Automation, Woocommerce Emails, Post Notification, And More
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:28:32.434Z

Reserved: 2026-01-20T20:05:01.189Z

Link: CVE-2026-1258

cve-icon Vulnrichment

Updated: 2026-02-17T15:36:24.196Z

cve-icon NVD

Status : Deferred

Published: 2026-02-14T09:16:12.190

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1258

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:45:06Z

Weaknesses