CVE-2026-23541 Overview
CVE-2026-23541 is a Missing Authorization vulnerability [CWE-862] affecting the WPFunnels Mail Mint plugin for WordPress. The flaw exists in versions up to and including 1.19.4 and allows unauthenticated network attackers to access functionality that is not properly constrained by access control lists. Mail Mint is an email marketing and automation plugin used by WordPress site operators to manage contacts, lists, and campaigns. Exploitation requires no authentication, no user interaction, and low attack complexity, and results in confidentiality impact on the affected site.
Critical Impact
Unauthenticated attackers can invoke Mail Mint functionality that should be restricted by access controls, leading to disclosure of sensitive email marketing data.
Affected Products
- WPFunnels Mail Mint plugin for WordPress
- All versions from n/a through 1.19.4
- WordPress sites with Mail Mint installed and activated
Discovery Timeline
- 2026-02-19 - CVE-2026-23541 published to NVD
- 2026-04-23 - Last updated in NVD database
Technical Details for CVE-2026-23541
Vulnerability Analysis
The vulnerability is a Broken Access Control issue in the Mail Mint plugin. One or more plugin endpoints fail to enforce capability checks or authorization verification before executing privileged operations. An attacker reaches the vulnerable code path over the network without any credentials and without tricking a user into clicking a link. The result is exposure of confidential information managed by the plugin, such as subscriber lists, contact details, or campaign data.
The issue is categorized under CWE-862: Missing Authorization. This weakness occurs when software does not perform an authorization check when a user attempts to access a resource or perform an action. In WordPress plugins, this typically manifests as missing current_user_can() checks or unprotected REST API routes and AJAX handlers.
Root Cause
The root cause is the absence of authorization verification on one or more Mail Mint request handlers. WordPress plugins commonly register actions through admin-ajax.php, the REST API via register_rest_route(), or custom endpoints. Each handler must validate the calling user's capability before performing actions. Mail Mint releases up to 1.19.4 do not enforce this check on the affected functionality.
Attack Vector
An attacker sends crafted HTTP requests to the vulnerable plugin endpoint on a target WordPress site. Because no authentication is required, the request can originate from any internet host. The endpoint processes the request and returns data or executes operations that should be restricted to authorized administrators. See the Patchstack advisory for additional context on the affected endpoints.
No verified public proof-of-concept code is available at the time of publication. Defenders should treat the issue as exploitable based on the network attack vector and lack of authentication requirements.
Detection Methods for CVE-2026-23541
Indicators of Compromise
- Unauthenticated HTTP requests to Mail Mint REST API routes under /wp-json/mrm/ or /wp-json/mailmint/ namespaces from external IPs.
- POST or GET requests to admin-ajax.php with Mail Mint action parameters originating from unauthenticated sessions.
- Unexpected outbound traffic or bulk data responses from Mail Mint endpoints in web server access logs.
Detection Strategies
- Review WordPress access logs for requests to Mail Mint plugin paths that return HTTP 200 responses without an authenticated session cookie.
- Hunt for anomalous response sizes from Mail Mint endpoints that may indicate bulk data exfiltration.
- Correlate web server logs with WordPress audit logs to identify access to subscriber or contact data without corresponding admin login events.
Monitoring Recommendations
- Enable verbose logging on the WordPress REST API and admin-ajax.php handler.
- Deploy a web application firewall rule that flags unauthenticated requests to plugin-specific paths.
- Alert on bursts of requests to the same Mail Mint endpoint from a single source IP.
How to Mitigate CVE-2026-23541
Immediate Actions Required
- Update Mail Mint to a version newer than 1.19.4 as soon as the vendor releases a patched build.
- Audit existing subscriber and contact data for signs of unauthorized export.
- Restrict access to /wp-admin/ and /wp-json/ paths to trusted IP ranges where feasible.
Patch Information
The vendor advisory is tracked through Patchstack. Refer to the Patchstack Mail Mint advisory for the fixed version and remediation details. Verify the installed plugin version through the WordPress admin Plugins page after applying the update.
Workarounds
- Deactivate the Mail Mint plugin until a patched release is installed if the site can operate without it.
- Apply WAF rules that block unauthenticated requests to Mail Mint REST routes and AJAX actions.
- Place the WordPress admin interface behind HTTP authentication or a VPN to limit exposure of plugin endpoints.
# Configuration example: block unauthenticated access to Mail Mint REST routes in nginx
location ~ ^/wp-json/(mrm|mailmint)/ {
if ($http_cookie !~ "wordpress_logged_in_") {
return 403;
}
try_files $uri $uri/ /index.php?$args;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
