Description
The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update contact notes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to missing sanitization and escaping this can lead to stored Cross-Site Scripting.
Published: 2026-02-03
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via CSRF
Action: Update Plugin
AI Analysis

Impact

The Mail Mint plugin for WordPress contains a CSRF vulnerability that arises from missing nonce validation on the create_or_update_note function. An unauthenticated attacker can forge a request to this endpoint, which will create or modify a contact note when an administrator is tricked into clicking a link. Because the plugin does not sanitise or escape the note content, malicious data can be stored and later executed in the browser when the note is displayed, resulting in stored Cross‑Site Scripting. The flaw permits an attacker to inject scripts that run in the context of any user who views the note, potentially leaking credentials or hijacking sessions. The impact is limited to the data displayed by the plugin, but the attack vector and lack of validation make it a moderate risk if an administrator is susceptible to the social engineering component.

Affected Systems

All versions of the Mail Mint WordPress plugin up to and including 1.19.2, provided by getwpfunnels:Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails.

Risk and Exploitability

The CVSS score of 5.4 indicates a medium severity, and the EPSS score of less than 1% suggests a very low likelihood that the vulnerability will be actively exploited at present. The flaw is not listed in the CISA KEV catalog. Exploitation requires an administrator to click a malicious link; there is no direct network takeover. Given the reliance on social engineering, the actual risk depends on the security posture of the site’s admin users. However, the combination of CSRF and stored XSS warrants remediation to prevent potential data compromise or credential theft.

Generated by OpenCVE AI on April 15, 2026 at 17:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Mail Mint to the latest available version, which removes the missing nonce validation and input sanitisation issues.
  • If an upgrade cannot be performed immediately, modify or patch the create_or_update_note function in the plugin to enforce nonce validation or disable the endpoint entirely.
  • Add proper output escaping or sanitisation to the contact note content before it is rendered, ensuring scripts cannot be executed when notes are viewed.

Generated by OpenCVE AI on April 15, 2026 at 17:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Getwpfunnels
Getwpfunnels mail Mint
Wordpress
Wordpress wordpress
Vendors & Products Getwpfunnels
Getwpfunnels mail Mint
Wordpress
Wordpress wordpress

Tue, 03 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Description The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update contact notes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to missing sanitization and escaping this can lead to stored Cross-Site Scripting.
Title Mail Mint <= 1.19.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Getwpfunnels Mail Mint
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:30:11.747Z

Reserved: 2026-01-26T17:00:55.043Z

Link: CVE-2026-1447

cve-icon Vulnrichment

Updated: 2026-02-03T15:25:58.707Z

cve-icon NVD

Status : Deferred

Published: 2026-02-03T07:16:12.307

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1447

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T18:00:15Z

Weaknesses