← back
CVE-2026-2025

Mail Mint < 1.19.5 - Unauthenticated Emails Disclosure

CVSS 7.5 HIGHEPSS 1.4%CWE-200
Vexday Risk Score
36Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 7.5EPSS 1.4%KEV nãoPoC Nuclei simMetasploit Patch
Lifecycle
04 Mar 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
The Mail Mint WordPress plugin before 1.19.5 does not have authorization in one of its REST API endpoint, allowing unauthenticated users to call it and retrieve the email addresses of users on the blog
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products
Unknown · Mail Mint

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://wpscan.com/vulnerability/1b815cde-cd9d-46fa-a6ab-3d2851705e7b/