Blind SQL Injection Vulnerability in Mail Mint Plugin for WordPress
CVE-2026-1258

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails
Vendor: CVE Published:; 14 February 2026

What is CVE-2026-1258?

The Mail Mint plugin for WordPress is susceptible to blind SQL injection attacks due to improper handling of user-supplied input in several API endpoints, including 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map'. This vulnerability arises from insufficient escaping of parameters like 'order-by', 'order-type', and 'selectedCourses', combined with a lack of adequate preparation in the associated SQL queries. As a result, authenticated users with administrator privileges can exploit the flaw to append malicious SQL commands, potentially compromising the database integrity and security.

Affected Version(s)

Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails 0 <= 1.19.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3449536/mail...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 14, 2026
Vulnerability Reserved
Jan 20, 2026

Credit

Paolo Tresso

CVE-2026-1258 Data

JSON