Attack Vectors

Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more (slug: mail-mint) has a Medium-severity vulnerability (CVE-2026-1258, CVSS 4.9) affecting versions up to and including 1.19.2.

This issue is an authenticated blind SQL injection that can be triggered through multiple API endpoints: forms, automation, email/templates, and contacts/import/tutorlms/map.

The attack requires an authenticated user with Administrator-level access (or higher) to send crafted requests that manipulate specific input fields used for sorting and mapping: order-by, order-type, and selectedCourses.

Security Weakness

The vulnerability stems from insufficient escaping of user-supplied parameters and a lack of sufficient preparation in existing SQL queries. As a result, crafted values can be appended into database queries through the affected API endpoints.

Because it is described as blind SQL injection, the outcomes may not be immediately visible in the application interface, which can delay detection and response while data is still being exposed.

Technical or Business Impacts

From a business-risk perspective, the most important impact indicated by the CVSS vector is high confidentiality impact (C:H). In practical terms, this can translate into unauthorized access to information stored in your WordPress database that the attacker can reach through the vulnerable queries.

Even though the required privileges are high (Administrator+), this is still a meaningful risk for organizations with multiple admins, third-party agencies, contractors, or shared credentials. It also raises the stakes of any separate issue that could lead to admin compromise.

Recommended remediation is to update Mail Mint to version 1.19.3 or newer, which is the patched release noted in the advisory.

Similar Attacks: SQL injection remains one of the most common web application weaknesses and has been tied to major incidents across industries. Examples include the Equifax 2017 breach (official site), the U.S. DOJ case involving SQL injection attacks, and the Imperva overview of SQL injection and its business implications.

Reference: CVE-2026-1258 and Wordfence advisory.