CVE-2026-1447
Unknown Unknown - Not Provided
CSRF and Stored XSS in Mail Mint WordPress Plugin

Publication date: 2026-02-03

Last updated on: 2026-02-03

Assigner: Wordfence

Description
The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update contact notes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to missing sanitization and escaping this can lead to stored Cross-Site Scripting.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-03
Last Modified
2026-02-03
Generated
2026-06-16
AI Q&A
2026-02-03
EPSS Evaluated
2026-06-14
NVD
CVE-2026-1447
EUVD
EUVD-2026-5291
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mail_mint mail_mint to 1.19.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in the Mail Mint WordPress plugin (up to version 1.19.2) is a Cross-Site Request Forgery (CSRF) issue due to missing nonce validation on the create_or_update_note function. This allows unauthenticated attackers to trick a site administrator into performing actions like creating or updating contact notes via a forged request. Because the plugin also lacks proper sanitization and escaping in this function, it can lead to stored Cross-Site Scripting (XSS), where malicious scripts are saved and executed in the context of the site. [1, 3]

Impact Analysis

This vulnerability can allow attackers to manipulate contact notes by creating or updating them without proper authorization, potentially injecting malicious scripts (stored XSS). This can lead to unauthorized data manipulation, compromise of site administrators' accounts or sessions, and execution of malicious code in the context of the affected website, which can degrade site integrity and user trust. [1, 3]

Detection Guidance

This vulnerability involves Cross-Site Request Forgery (CSRF) in the Mail Mint WordPress plugin's create_or_update_note function due to missing nonce validation in versions up to 1.19.2. Detection on your system can involve monitoring for suspicious POST requests to the REST API endpoints related to contact notes, especially those that create or update notes without valid nonce tokens. You can check your web server logs or use network monitoring tools to look for POST requests to endpoints like /wp-json/mint/v1/contacts/{contact_id}/notes or similar routes that manage notes. Since the vulnerability allows unauthenticated attackers to forge requests that an admin might execute, look for unusual or unexpected note creation or updates in the plugin's database tables or admin interface. Specific commands depend on your environment, but examples include: 1. Using grep on web server logs to find POST requests to the notes endpoint: `grep 'POST /wp-json/mint/v1/contacts/' /var/log/apache2/access.log | grep '/notes'` 2. Using curl to test if nonce validation is missing (only for testing on your own system): `curl -X POST https://yourwordpresssite.com/wp-json/mint/v1/contacts/1/notes -d '{"note":{"description":"test"}}' -H 'Content-Type: application/json'` If this request succeeds without a valid nonce, the system is vulnerable. 3. Using WordPress CLI or database queries to check for unexpected or suspicious notes created recently. Note that the plugin's REST API routes require certain permissions and nonce validation after the patch, so absence of nonce validation indicates vulnerability. Monitoring for missing or invalid nonce usage in requests can help detect exploitation attempts. [4, 6]

Mitigation Strategies

Immediate mitigation steps include: 1. Update the Mail Mint WordPress plugin to a version later than 1.19.2 where the vulnerability is patched. The patch enforces nonce verification for CSRF protection and sanitizes inputs to prevent stored XSS and unauthorized note manipulation. 2. If updating immediately is not possible, restrict access to the WordPress admin area and REST API endpoints related to contact notes to trusted users only, minimizing the risk of an attacker tricking an admin into executing forged requests. 3. Monitor and audit recent changes to contact notes for suspicious activity. 4. Implement Web Application Firewall (WAF) rules to block suspicious POST requests to the vulnerable endpoints without valid nonce tokens. 5. Educate administrators to avoid clicking on suspicious links that could trigger forged requests. These steps help prevent exploitation by ensuring only authorized and properly validated requests can create or update notes, mitigating CSRF and stored XSS risks. [2, 3, 4, 6]

Compliance Impact

The vulnerability allows unauthenticated attackers to create or update contact notes via forged requests, potentially leading to stored Cross-Site Scripting (XSS). This unauthorized manipulation of contact data could result in improper handling or exposure of personal information, which may violate data protection requirements under standards like GDPR or HIPAA. However, the provided resources do not explicitly discuss compliance impacts or mitigation steps related to these regulations. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1447. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart