CVE-2026-2025

The Mail Mint WordPress plugin before 1.19.5 does not have authorization in one of its REST API endpoint, allowing unauthenticated users to call it and retrieve the email addresses of users on the blog

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://wpscan.com/vulnerability/1b815cde-cd9d-46fa-a6ab-3d2851705e7b/

Configurations

No configuration.

History

15 Apr 2026, 14:42

Type	Values Removed	Values Added
Summary		(es) El plugin de WordPress Mail Mint anterior a 1.19.5 no tiene autorización en uno de sus endpoints de la API REST, lo que permite a usuarios no autenticados llamarlo y recuperar las direcciones de correo electrónico de los usuarios del blog.

04 Mar 2026, 18:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
CWE		CWE-200

04 Mar 2026, 06:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-04 06:16

Updated : 2026-06-17 10:30

NVD link : CVE-2026-2025

Mitre link : CVE-2026-2025

CVE.ORG link : CVE-2026-2025

JSON object : View

Products Affected

No product.

CWE

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

7.5 /10