Skip to main content

Mail Mint CVE-2026-12918

| EUVDEUVD-2026-42862 MEDIUM
SQL Injection (CWE-89)
2026-07-10 security@wordfence.com GHSA-87jw-g834-7wpg
4.9
CVSS 3.1 · Vendor: wordfence
Share

Severity by source

Vendor (wordfence) PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
4.9 MEDIUM

Administrator authentication confirmed as prerequisite (PR:H); network-delivered REST API (AV:N); confidentiality-only impact with no integrity or availability effect (C:H/I:N/A:N).

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (wordfence).

CVSS VectorVendor: wordfence

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 10, 2026 - 10:39 vuln.today
CVE Published
Jul 10, 2026 - 10:16 nvd
MEDIUM 4.9

DescriptionCVE.org

The Mail Mint - Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to generic SQL Injection via the 'recipients' parameter in all versions up to, and including, 1.24.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is a second-order SQL injection: the malicious payload is first stored unsanitized via a POST request to /mrm/v1/campaigns/ (bypassing filter_recipients() validation because an int-cast of a string like '1) OR ...' evaluates to a real numeric ID), and is then triggered by a subsequent GET request to /mrm/v1/campaigns/{id} that deserializes the recipients and passes the raw id string through array_column() into the vulnerable query.

AnalysisAI

Second-order SQL injection in Mail Mint WordPress plugin (all versions ≤ 1.24.1) allows authenticated administrators to exfiltrate arbitrary data from the WordPress database via the 'recipients' parameter in the campaign REST API. The attack exploits a two-stage flaw: a malicious SQL payload bypasses int-cast input validation at write time and persists unsanitized, then fires during a subsequent campaign retrieval request that passes the raw value into an unparameterized query. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain WordPress administrator credentials
Delivery
POST crafted 'recipients' payload to /mrm/v1/campaigns/
Exploit
Int-cast bypass evades filter_recipients() validation
Install
Unsanitized payload persisted in database
C2
GET /mrm/v1/campaigns/{id} triggers deserialization
Execute
array_column() feeds raw string into unparameterized SQL query
Impact
Sensitive database contents returned to attacker

Vulnerability AssessmentAI

Exploitation Requires an authenticated session with WordPress administrator-level privileges or higher - PR:N (unauthenticated) exploitation is not possible, as confirmed by the CVSS vector PR:H. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.9 Medium score is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with valid WordPress administrator credentials sends a POST request to /mrm/v1/campaigns/ with the 'recipients' parameter set to a value such as '1) UNION SELECT user_pass,user_login,NULL FROM wp_users-- -'; the int-cast in filter_recipients() evaluates this to 1, passes validation, and stores the raw string in the database. The attacker then issues a GET request to /mrm/v1/campaigns/{id}, which deserializes the stored recipients and feeds the unsanitized string through array_column() into an unparameterized SQL query in ContactGroupPivotModel, returning WordPress user password hashes and login names in the response. …
Remediation Update Mail Mint to the version introduced in the WordPress plugin changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3592458%40mail-mint&new=3592458%40mail-mint - note that the exact patched release version number is not explicitly stated in available data and should be confirmed via the WordPress plugin directory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-12918 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy