Blind SQL Injection Vulnerability in Mail Mint Plugin for WordPress
CVE-2026-1258

4.9MEDIUM

Key Information:

Vendor: WordPress
Status: Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, And More
Vendor: CVE Published:; 14 February 2026

What is CVE-2026-1258?

The Mail Mint plugin for WordPress is susceptible to blind SQL injection attacks due to improper handling of user-supplied input in several API endpoints, including 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map'. This vulnerability arises from insufficient escaping of parameters like 'order-by', 'order-type', and 'selectedCourses', combined with a lack of adequate preparation in the associated SQL queries. As a result, authenticated users with administrator privileges can exploit the flaw to append malicious SQL commands, potentially compromising the database integrity and security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more * <= 1.19.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3449536/mail...

CVSS V3.1

Score:

4.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 14, 2026
Vulnerability Reserved
Jan 20, 2026

Credit

Paolo Tresso

JSON

WordPress

What is CVE-2026-1258?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.