SQL Injection Vulnerability in Mail Mint Email Marketing Plugin for WordPress
CVE-2026-12918
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 10 July 2026
What is CVE-2026-12918?
The Mail Mint Email Marketing plugin for WordPress is susceptible to a SQL Injection vulnerability through the 'recipients' parameter. This flaw allows authenticated attackers with administrator-level access to inject arbitrary SQL queries into existing queries. The vulnerability stems from inadequate user input escaping and a lack of secure query preparation. Attackers can exploit the vulnerability by sending unsanitized data via POST requests, which is saved and later executed, enabling them to extract confidential database information. This second-order SQL injection bypasses security measures due to its specific processing of numeric values, posing a significant risk to affected installations.
Affected Version(s)
Mail Mint β Email Marketing, Newsletter, Email Automation & WooCommerce Emails 0 <= 1.24.1