Description
The Mail Mint WordPress plugin before 1.19.5 does not have authorization in one of its REST API endpoint, allowing unauthenticated users to call it and retrieve the email addresses of users on the blog
Published: 2026-03-04
Score: 7.5 High
EPSS: 34.0% Moderate
KEV: No
Impact: Unauthenticated Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

An unauthorized REST API endpoint in Mail Mint allows any internet user to retrieve the email addresses of all registered WordPress users. This lack of authorization checks violates the API’s intended permissions model and results in confidential user data being exposed. The vulnerability is a classic example of CWE‑200: Information Exposure.

Affected Systems

The flaw affects the Mail Mint WordPress plugin for any version earlier than 1.19.5. Sites running that plugin can expose user email addresses to anyone who can reach the site’s REST API.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity impact, and the EPSS probability of 34% suggests that exploitation is likely in the wild. As the API is unauthenticated, an attacker can simply send HTTP GET requests to the exposed endpoint from any network, making the vulnerability remotely exploitable. The issue is not currently cataloged in CISA's KEV list, but the high exploitation likelihood warrants urgent attention.

Generated by OpenCVE AI on April 16, 2026 at 13:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Mail Mint plugin to version 1.19.5 or later, which removes the vulnerable endpoint.
  • If an upgrade is not immediately possible, block or restrict access to the affected REST API endpoint using security plugins or firewall rules that require authentication or drop unauthenticated requests.
  • Audit the site’s WordPress installation and all plugins for additional exposed APIs, and perform a regular review of user role permissions to ensure no further information exposure.

Generated by OpenCVE AI on April 16, 2026 at 13:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Getwpfunnels
Getwpfunnels mail Mint
Wordpress
Wordpress wordpress
Vendors & Products Getwpfunnels
Getwpfunnels mail Mint
Wordpress
Wordpress wordpress

Wed, 04 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Mail Mint WordPress plugin before 1.19.5 does not have authorization in one of its REST API endpoint, allowing unauthenticated users to call it and retrieve the email addresses of users on the blog
Title Mail Mint < 1.19.5 - Unauthenticated Emails Disclosure
References

Subscriptions

Getwpfunnels Mail Mint
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-03-04T17:09:15.123Z

Reserved: 2026-02-05T20:41:56.158Z

Link: CVE-2026-2025

cve-icon Vulnrichment

Updated: 2026-03-04T17:06:20.425Z

cve-icon NVD

Status : Deferred

Published: 2026-03-04T06:16:11.297

Modified: 2026-04-15T14:42:29.303

Link: CVE-2026-2025

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:00:19Z

Weaknesses