We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: Mail Mint Plugin Vulnerability (CVE-2026-1447)

Nick Paliughi
On this page

Security Alert Summary

The Mail Mint plugin for WordPress contains a Cross-Site Request Forgery (CSRF) issue in the create_or_update_note function in all versions up to and including 1.19.2. Missing nonce validation allows an attacker to create or update contact notes via a forged request if an administrator performs an action such as clicking a link. Because the plugin also lacks proper sanitization and escaping for these notes, successful exploitation can result in stored Cross-Site Scripting (XSS).

CVE Details

  • CVE ID: CVE-2026-1447
  • Affected component: Mail Mint plugin for WordPress
  • Affected versions: All versions up to and including 1.19.2
  • Published: February 3, 2026, 7:16:12 AM UTC
  • Last modified: February 3, 2026, 4:44:03 PM UTC
  • CVSS v3.1: Base Score 5.4, MEDIUM — CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
  • Authentication / privileges / user interaction: No privileges required (PR:N); user interaction required (UI:R). The attack vector is network (AV:N) and attack complexity is low (AC:L).
  • Primary impact: Confidentiality: Low; Integrity: Low; Availability: None
  • CWE / weakness: CWE-352 (Cross-Site Request Forgery)

Technical Details

The vulnerability is a CSRF condition caused by missing nonce validation on the create_or_update_note function. Because the plugin does not verify a valid nonce for requests that create or update contact notes, an attacker can craft a request that, when an authenticated administrator performs an action (for example, clicking a malicious link), will create or modify contact notes on the site.

Additionally, the plugin lacks proper sanitization and escaping for the stored note data. When an attacker is able to insert malicious HTML or JavaScript into a contact note, that payload can be stored and later executed in the context of an administrator’s browser (stored XSS), leading to limited data exposure or session-based abuse consistent with the CVSS impacts.

References in the codebase point to files such as ContactProfileAction.php and ContactProfileRoute.php where the relevant functionality is handled (see references below).

How This Could Impact Your Website

Consider a site with a site owner, internal staff who manage contacts, and an external contractor who occasionally assists with administration. If an attacker persuades an administrator to click a crafted link while logged in, the attacker could create or modify contact notes associated with site contacts. Because notes are not properly sanitized, those notes could include malicious script that runs when an administrator views the contact profile.

Practical consequences include limited exposure of contact data or administrative session information (confidentiality and integrity impacts are rated low), and an increased risk of targeted phishing or social engineering attacks using information harvested from contact records. This vulnerability does not indicate direct availability impact or guaranteed full site compromise based on the provided data.

“If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.”

Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles and capabilities, especially for contributors and other non-admin roles.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and logs for unusual behavior related to contact creation or updates.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: Tutor LMS 6 eLearning and online course solution plugin (CVE-2026-1375)
Next Post
WordPress Security Bulletin: Happy Addons for Elementor plugin for WordPress (CVE-2026-1210)