SQL Injection Vulnerability in Mail Mint Email Marketing Plugin for WordPress
CVE-2026-12918

4.9MEDIUM

What is CVE-2026-12918?

The Mail Mint Email Marketing plugin for WordPress is susceptible to a SQL Injection vulnerability through the 'recipients' parameter. This flaw allows authenticated attackers with administrator-level access to inject arbitrary SQL queries into existing queries. The vulnerability stems from inadequate user input escaping and a lack of secure query preparation. Attackers can exploit the vulnerability by sending unsanitized data via POST requests, which is saved and later executed, enabling them to extract confidential database information. This second-order SQL injection bypasses security measures due to its specific processing of numeric values, posing a significant risk to affected installations.

Affected Version(s)

Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails 0 <= 1.24.1

References

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

PRISM
.