Mail Mint < 1.18.11 – Authenticated (Admin+) Arbitrary File Upload | CVE 2025-11967 | Plugin Vulnerabilities

Description

The Mail Mint plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the process_contact_attribute_import function in all versions up to, and including, 1.18.10. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Fixed in 1.18.11

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/cf902756-21f3-483b-a5d8-a9b4226bde22

Miscellaneous

Original Researcher

vodanh

Verified

No

WPVDB ID

e4a00ab9-b3da-4f35-ab80-20068b8ac615

Timeline

Publicly Published

2025-11-07 (about 6 months ago)

Added

2025-11-07 (about 6 months ago)

Last Updated

2025-11-08 (about 6 months ago)

Other

Published

Title

Published

2024-10-04

Title

Hash Form - Drag & Drop Form Builder < 1.2.0 - Unauthenticated Limited File Upload

Published

2025-10-28

Title

Contact Form 7 PDF, Google Sheet & Database < 3.1.0 - Authenticated (Subscriber+) Arbitrary File Upload

Published

2023-09-26

Title

Welcart e-Commerce < 2.8.22 - Editor+ Arbitrary File Upload

Published

2024-11-15

Title

Real3D Flipbook Lite – 3D FlipBook, PDF Viewer, PDF Embedder < 4.8.5 - Authenticated (Author+) Arbitrary File Upload

Published

2014-08-01

Title

Front File Manager 0.1 - Arbitrary File Upload