Description
Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4.
Published: 2026-02-19
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: Broken Access Control
Action: Patch
AI Analysis

Impact

The vulnerability arises from missing authorization checks in the WPFunnels Mail Mint plugin, allowing unauthenticated users to access privileged functionality. Because the plugin does not enforce ACLs, attackers can invoke plugin endpoints that should be restricted, potentially exposing sensitive data or performing unauthorized operations. This weakness is classified as CWE‑862.

Affected Systems

The flaw affects WPFunnels Mail Mint for WordPress, versions from the initial release through 1.19.4. Any site running any version up to and including 1.19.4 is susceptible until an update is applied.

Risk and Exploitability

The EPSS score is below 1%, indicating a low probability of exploitation at the time of assessment, and the vulnerability is not listed in CISA’s KEV catalog. Nonetheless, the attack vector is likely via a direct HTTP request to the plugin’s exposed endpoints, requiring only that the plugin is active and the target site is publicly reachable. Because no additional authentication is enforced, any visitor can exploit it, making it simple to attack if the plugin is present.

Generated by OpenCVE AI on April 16, 2026 at 06:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Mail Mint plugin to the latest version (greater than 1.19.4) as released by the vendor.
  • If an upgrade is not immediately possible, remove or disable the plugin to eliminate the exposed vectors.
  • Implement role‑based access controls or a web application firewall to block unauthorized requests to plugin endpoints until a patch is deployed.

Generated by OpenCVE AI on April 16, 2026 at 06:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 28 Feb 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Getwpfunnels
Getwpfunnels mail Mint
Wordpress
Wordpress wordpress
Vendors & Products Getwpfunnels
Getwpfunnels mail Mint
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4.
Title WordPress Mail Mint plugin <= 1.19.4 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Getwpfunnels Mail Mint
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:01.171Z

Reserved: 2026-01-14T08:36:07.868Z

Link: CVE-2026-23541

cve-icon Vulnrichment

Updated: 2026-02-24T21:24:31.756Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:11.903

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23541

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:45:16Z

Weaknesses