Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Administrator authentication confirmed as prerequisite (PR:H); network-delivered REST API (AV:N); confidentiality-only impact with no integrity or availability effect (C:H/I:N/A:N).
Primary rating from Vendor (wordfence).
CVSS VectorVendor: wordfence
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Mail Mint - Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to generic SQL Injection via the 'recipients' parameter in all versions up to, and including, 1.24.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is a second-order SQL injection: the malicious payload is first stored unsanitized via a POST request to /mrm/v1/campaigns/ (bypassing filter_recipients() validation because an int-cast of a string like '1) OR ...' evaluates to a real numeric ID), and is then triggered by a subsequent GET request to /mrm/v1/campaigns/{id} that deserializes the recipients and passes the raw id string through array_column() into the vulnerable query.
AnalysisAI
Second-order SQL injection in Mail Mint WordPress plugin (all versions ≤ 1.24.1) allows authenticated administrators to exfiltrate arbitrary data from the WordPress database via the 'recipients' parameter in the campaign REST API. The attack exploits a two-stage flaw: a malicious SQL payload bypasses int-cast input validation at write time and persists unsanitized, then fires during a subsequent campaign retrieval request that passes the raw value into an unparameterized query. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated session with WordPress administrator-level privileges or higher - PR:N (unauthenticated) exploitation is not possible, as confirmed by the CVSS vector PR:H. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.9 Medium score is well-calibrated for this vulnerability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with valid WordPress administrator credentials sends a POST request to /mrm/v1/campaigns/ with the 'recipients' parameter set to a value such as '1) UNION SELECT user_pass,user_login,NULL FROM wp_users-- -'; the int-cast in filter_recipients() evaluates this to 1, passes validation, and stores the raw string in the database. The attacker then issues a GET request to /mrm/v1/campaigns/{id}, which deserializes the stored recipients and feeds the unsanitized string through array_column() into an unparameterized SQL query in ContactGroupPivotModel, returning WordPress user password hashes and login names in the response. … |
| Remediation | Update Mail Mint to the version introduced in the WordPress plugin changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3592458%40mail-mint&new=3592458%40mail-mint - note that the exact patched release version number is not explicitly stated in available data and should be confirmed via the WordPress plugin directory before deploying. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42862
GHSA-87jw-g834-7wpg