CVE-2026-1447
CSRF and Stored XSS in Mail Mint WordPress Plugin
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mail_mint | mail_mint | to 1.19.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Mail Mint WordPress plugin (up to version 1.19.2) is a Cross-Site Request Forgery (CSRF) issue due to missing nonce validation on the create_or_update_note function. This allows unauthenticated attackers to trick a site administrator into performing actions like creating or updating contact notes via a forged request. Because the plugin also lacks proper sanitization and escaping in this function, it can lead to stored Cross-Site Scripting (XSS), where malicious scripts are saved and executed in the context of the site. [1, 3]
How can this vulnerability impact me? :
This vulnerability can allow attackers to manipulate contact notes by creating or updating them without proper authorization, potentially injecting malicious scripts (stored XSS). This can lead to unauthorized data manipulation, compromise of site administrators' accounts or sessions, and execution of malicious code in the context of the affected website, which can degrade site integrity and user trust. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Cross-Site Request Forgery (CSRF) in the Mail Mint WordPress plugin's create_or_update_note function due to missing nonce validation in versions up to 1.19.2. Detection on your system can involve monitoring for suspicious POST requests to the REST API endpoints related to contact notes, especially those that create or update notes without valid nonce tokens. You can check your web server logs or use network monitoring tools to look for POST requests to endpoints like /wp-json/mint/v1/contacts/{contact_id}/notes or similar routes that manage notes. Since the vulnerability allows unauthenticated attackers to forge requests that an admin might execute, look for unusual or unexpected note creation or updates in the plugin's database tables or admin interface. Specific commands depend on your environment, but examples include: 1. Using grep on web server logs to find POST requests to the notes endpoint: `grep 'POST /wp-json/mint/v1/contacts/' /var/log/apache2/access.log | grep '/notes'` 2. Using curl to test if nonce validation is missing (only for testing on your own system): `curl -X POST https://yourwordpresssite.com/wp-json/mint/v1/contacts/1/notes -d '{"note":{"description":"test"}}' -H 'Content-Type: application/json'` If this request succeeds without a valid nonce, the system is vulnerable. 3. Using WordPress CLI or database queries to check for unexpected or suspicious notes created recently. Note that the plugin's REST API routes require certain permissions and nonce validation after the patch, so absence of nonce validation indicates vulnerability. Monitoring for missing or invalid nonce usage in requests can help detect exploitation attempts. [4, 6]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. Update the Mail Mint WordPress plugin to a version later than 1.19.2 where the vulnerability is patched. The patch enforces nonce verification for CSRF protection and sanitizes inputs to prevent stored XSS and unauthorized note manipulation. 2. If updating immediately is not possible, restrict access to the WordPress admin area and REST API endpoints related to contact notes to trusted users only, minimizing the risk of an attacker tricking an admin into executing forged requests. 3. Monitor and audit recent changes to contact notes for suspicious activity. 4. Implement Web Application Firewall (WAF) rules to block suspicious POST requests to the vulnerable endpoints without valid nonce tokens. 5. Educate administrators to avoid clicking on suspicious links that could trigger forged requests. These steps help prevent exploitation by ensuring only authorized and properly validated requests can create or update notes, mitigating CSRF and stored XSS risks. [2, 3, 4, 6]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to create or update contact notes via forged requests, potentially leading to stored Cross-Site Scripting (XSS). This unauthorized manipulation of contact data could result in improper handling or exposure of personal information, which may violate data protection requirements under standards like GDPR or HIPAA. However, the provided resources do not explicitly discuss compliance impacts or mitigation steps related to these regulations. [1, 2, 3]