CVE-2026-1447
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
2Description
The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update contact notes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to missing sanitization and escaping this can lead to stored Cross-Site Scripting.
Analysis
Unauthenticated attackers can forge requests to create or modify contact notes in WordPress Mail Mint plugin versions up to 1.19.2 by exploiting missing CSRF protections, requiring only that a site administrator clicks a malicious link. The lack of input validation on these operations enables stored XSS attacks that could compromise administrator accounts and site integrity. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems running for WordPress is vulnerable to Cross-Site Request Forgery in and apply vendor patches as part of regular patch cycle. Verify anti-CSRF tokens are enforced.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today