CVE-2026-12918 in Mail Mint Plugininfo

Summary

by MITRE • 07/10/2026

The Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to generic SQL Injection via the 'recipients' parameter in all versions up to, and including, 1.24.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. This is a second-order SQL injection: the malicious payload is first stored unsanitized via a POST request to /mrm/v1/campaigns/ (bypassing filter_recipients() validation because an int-cast of a string like '1) OR ...' evaluates to a real numeric ID), and is then triggered by a subsequent GET request to /mrm/v1/campaigns/{id} that deserializes the recipients and passes the raw id string through array_column() into the vulnerable query.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/10/2026

The Mail Mint plugin for WordPress presents a critical second-order SQL injection vulnerability that demonstrates a sophisticated exploitation vector targeting authenticated administrators. This vulnerability exists in versions up to and including 1.24.1, where the plugin fails to properly sanitize user-supplied input through the 'recipients' parameter. The flaw stems from inadequate escaping of user-provided data combined with insufficient query preparation mechanisms, creating an environment where malicious actors can manipulate database queries through carefully crafted payloads. The vulnerability is particularly concerning because it requires only administrator-level access, making it accessible to attackers who have already compromised administrative credentials or gained legitimate access to privileged accounts.

The technical implementation of this attack exploits a specific pattern where the malicious payload is initially stored unsanitized during a POST request to the /mrm/v1/campaigns/ endpoint. This occurs because the filter_recipients() validation function fails to properly handle string inputs that can be cast to integers, such as '1) OR ...' which evaluates to a legitimate numeric ID of 1. The system accepts this malformed input without proper sanitization, storing the malicious payload within the database. When subsequent GET requests are made to /mrm/v1/campaigns/{id}, the stored data is deserialized and passed through array_column() function directly into the vulnerable SQL query construction. This second-order nature of the vulnerability means that the attack requires multiple request phases to execute successfully, with the initial malicious input being stored before being triggered.

The operational impact of this vulnerability extends beyond simple information disclosure to potentially enable full database compromise by authenticated attackers. Attackers can leverage this vulnerability to extract sensitive data including user credentials, personal information, and potentially access other system components that rely on the compromised WordPress installation. The attack pattern requires minimal privileges but can result in significant data breaches and system compromise, making it particularly dangerous for organizations relying on WordPress for email marketing automation. The vulnerability affects not just the plugin's functionality but also represents a broader security weakness in how user input is validated and handled within the application stack.

Security mitigations for this vulnerability should focus on implementing proper parameterized queries and input sanitization throughout the data flow processing pipeline. The fix must ensure that all user-supplied inputs are properly escaped before being incorporated into database queries, with particular attention to the array_column() function's handling of potentially malicious data. Organizations should implement strict validation of integer parameters to prevent type coercion attacks where string values can be interpreted as numeric identifiers. Additionally, the plugin should employ comprehensive input filtering that prevents SQL injection patterns from being accepted during data storage phases. This vulnerability aligns with CWE-89 and CWE-20 categories related to SQL injection and input validation failures, respectively, and represents a typical example of how insufficient data sanitization can create persistent security weaknesses in web applications. The ATT&CK framework would categorize this as a privilege escalation technique through database access manipulation, where the initial compromise leads to deeper system infiltration capabilities.

Responsible

Wordfence

Reservation

06/22/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!