CVE-2026-1258
Blind SQL Injection in Mail Mint WordPress Plugin APIs
Publication date: 2026-02-14
Last updated on: 2026-02-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mail_mint | mail_mint | to 1.19.2 (inc) |
| mail_mint | mail_mint | 1.19.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Mail Mint plugin for WordPress has a blind SQL Injection vulnerability affecting several API endpoints including 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map' in all versions up to and including 1.19.2.
This vulnerability arises because user-supplied parameters such as 'order-by', 'order-type', and 'selectedCourses' are not properly escaped or validated before being used in SQL queries. This allows authenticated users with administrator-level access or higher to append additional SQL queries to existing ones, potentially manipulating the database.
How can this vulnerability impact me? :
An attacker with administrator-level access can exploit this vulnerability to perform blind SQL Injection attacks, which can lead to unauthorized access to sensitive data stored in the database.
Although the vulnerability does not affect data integrity or availability directly (as indicated by the CVSS vector showing high confidentiality impact but no integrity or availability impact), it can expose confidential information, potentially leading to data breaches.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects the Mail Mint WordPress plugin versions up to and including 1.19.2 and involves blind SQL Injection via specific API endpoints with certain parameters. Detection involves identifying if the vulnerable plugin version is installed and if the affected API endpoints are accessible.
To detect the vulnerability on your system, you can check the installed version of the Mail Mint plugin in your WordPress installation. Additionally, monitoring HTTP requests to the following API endpoints can help identify potential exploitation attempts: '/forms', '/automation', '/email/templates', and '/contacts/import/tutorlms/map'.
Since the vulnerability requires authenticated attackers with administrator level access, verifying user roles and monitoring for suspicious administrator activity is also important.
Specific commands to detect the vulnerability are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating the Mail Mint plugin to version 1.19.3 or later, where the vulnerability has been addressed by implementing strict input validation and whitelisting of parameters used in SQL queries.'}, {'type': 'paragraph', 'content': "The patch ensures that parameters such as 'order-by' and 'order-type' are validated against predefined whitelists to prevent SQL injection, and all SQL queries use prepared statements properly."}, {'type': 'paragraph', 'content': 'If updating immediately is not possible, restrict administrator access to trusted users only and monitor API endpoint usage closely to detect any suspicious activity.'}] [1, 2, 3, 4]