Cross-Site Request Forgery Vulnerability in Mail Mint Plugin for WordPress
CVE-2026-1447

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails
Vendor: CVE Published:; 3 February 2026

What is CVE-2026-1447?

The Mail Mint plugin for WordPress is susceptible to Cross-Site Request Forgery due to inadequate nonce validation in the create_or_update_note function. This vulnerability allows unauthenticated attackers to manipulate contact notes by leveraging social engineering tactics to deceive site administrators into executing malicious actions, such as clicking on specially crafted links. Moreover, the absence of proper sanitization and escaping can lead to stored Cross-Site Scripting, exacerbating the potential impact of the attack.

Affected Version(s)

Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails 0 <= 1.19.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/mail-mint/trun...

https://plugins.trac.wordpress.org/browser/mail-mint/tags...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 3, 2026
Vulnerability Reserved
Jan 26, 2026

Credit

Bui Van Y

CVE-2026-1447 Data

JSON