Vulnerabilities and security researches formail-mint mail-mint

May 13, 2025

CVE, Research URL: CVE-2025-47541
Home page URL: Security reports for Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint
Application: Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint
Date: May 23, 2025
Research Description: Insertion of Sensitive Information Into Sent Data vulnerability in WPFunnels Mail Mint allows Retrieve Embedded Sensitive Data. This issue affects Mail Mint: from n/a through 1.17.7.
Affected versions: max 1.17.8.
Status: vulnerable

Sep 05, 2025

CVE, Research URL: CVE-2025-58604
Home page URL: Security reports for Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint
Application: Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint
Date: Sep 03, 2025
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WPFunnels Mail Mint allows SQL Injection. This issue affects Mail Mint: from n/a through 1.18.5.
Affected versions: max 1.18.6.
Status: vulnerable

Dec 11, 2025

CVE, Research URL: CVE-2025-11967
Home page URL: Security reports for Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint
Application: Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint
Date: Nov 08, 2025
Research Description: The Mail Mint plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_contact_attribute_import function in all versions up to, and including, 1.18.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
Affected versions: max 1.18.11.
Status: vulnerable

Feb 27, 2026

CVE, Research URL: CVE-2026-23541
Home page URL: Security reports for Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint
Application: Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint
Date: Feb 19, 2026
Research Description: Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4.
Affected versions: max 1.19.4.
Status: vulnerable

Apr 14, 2026

CVE, Research URL: CVE-2026-1447
Home page URL: Security reports for Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint
Application: Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint
Date: Feb 03, 2026
Research Description: The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update contact notes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to missing sanitization and escaping this can lead to stored Cross-Site Scripting.
Affected versions: max 1.19.3.
Status: vulnerable

CVE, Research URL: CVE-2026-2025
Home page URL: Security reports for Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint
Application: Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint
Date: Mar 04, 2026
Research Description: The Mail Mint WordPress plugin before 1.19.5 does not have authorization in one of its REST API endpoint, allowing unauthenticated users to call it and retrieve the email addresses of users on the blog
Affected versions: max 1.19.5.
Status: vulnerable

CVE, Research URL: CVE-2026-1258
Home page URL: Security reports for Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint
Application: Email Marketing, Email Automation & Newsletter for WordPress & WooCommerce – Mail Mint
Date: Feb 14, 2026
Research Description: The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map' API endpoints in all versions up to, and including, 1.19.2 . This is due to insufficient escaping on the user supplied 'order-by', 'order-type', and 'selectedCourses' parameters and lack of sufficient preparation on the existing SQL queries. This makes it possible for authenticated attackers, with administrator level access and above, to append additional SQL queries into already existing queries.
Affected versions: max 1.19.3.
Status: vulnerable