Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.9
Mail Mint Plugin Vulnerable to Attackers with Admin Access
CVE-2026-1258
Summary
The Mail Mint plugin for WordPress is open to attacks by attackers with administrator access. If an attacker with admin rights uses the plugin's API, they can potentially inject malicious SQL code, leading to unauthorized access to sensitive data. Update to the latest version of the plugin to fix this issue.
Original title
The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map' API endpoints in all versions up to, and...
Original description
The Mail Mint plugin for WordPress is vulnerable to blind SQL Injection via the 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map' API endpoints in all versions up to, and including, 1.19.2 . This is due to insufficient escaping on the user supplied 'order-by', 'order-type', and 'selectedCourses' parameters and lack of sufficient preparation on the existing SQL queries. This makes it possible for authenticated attackers, with administrator level access and above, to append additional SQL queries into already existing queries.
nvd CVSS3.1
4.9
Vulnerability type
CWE-89
SQL Injection
- https://plugins.trac.wordpress.org/changeset/3449536/mail-mint/trunk/app/API/Act...
- https://plugins.trac.wordpress.org/changeset/3449536/mail-mint/trunk/app/Databas...
- https://plugins.trac.wordpress.org/changeset/3449536/mail-mint/trunk/app/Interna...
- https://plugins.trac.wordpress.org/changeset/3449536/mail-mint/trunk/app/Utiliti...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/dfb59bca-0653-4e75-8da...
Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026