{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23541", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-14T08:36:07.868Z", "datePublished": "2026-02-19T08:26:48.368Z", "dateUpdated": "2026-04-28T16:14:46.701Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "mail-mint", "product": "Mail Mint", "vendor": "WPFunnels", "versions": [{"changes": [{"at": "1.19.5", "status": "unaffected"}], "lessThanOrEqual": "1.19.4", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-01T16:04:53.987Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.<p>This issue affects Mail Mint: from n/a through <= 1.19.4.</p>"}], "value": "Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4."}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:46.701Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/mail-mint/vulnerability/wordpress-mail-mint-plugin-1-19-4-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Mail Mint plugin <= 1.19.4 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-24T21:24:30.207620Z", "id": "CVE-2026-23541", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T20:51:38.720Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23541", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-24T21:24:30.207620Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-24T21:24:31.756Z"}}], "cna": {"tags": ["x_known-exploited-vulnerability"], "title": "WordPress Mail Mint plugin <= 1.19.4 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Denver Jackson | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-1", "descriptions": [{"lang": "en", "value": "Accessing Functionality Not Properly Constrained by ACLs"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WPFunnels", "product": "Mail Mint", "versions": [{"status": "affected", "changes": [{"at": "1.19.5", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.19.4"}], "packageName": "mail-mint", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:42.401Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/mail-mint/vulnerability/wordpress-mail-mint-plugin-1-19-4-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.<p>This issue affects Mail Mint: from n/a through <= 1.19.4.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:03.877Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23541", "state": "PUBLISHED", "dateUpdated": "2026-04-23T14:14:03.877Z", "dateReserved": "2026-01-14T08:36:07.868Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-02-19T08:26:48.368Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en WPFunnels Mail Mint mail-mint permite Acceder a Funcionalidad No Restringida Adecuadamente por ACLs. Este problema afecta a Mail Mint: desde n/a hasta &lt;= 1.19.4."}], "id": "CVE-2026-23541", "lastModified": "2026-04-23T15:36:38.660", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-02-19T09:16:11.903", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/mail-mint/vulnerability/wordpress-mail-mint-plugin-1-19-4-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.19.4]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.19.5,*]"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 93.0, "source": "matching"}]}, "original": {"product": "Mail Mint", "source": "cna", "vendor": "WPFunnels"}, "product": "mail_mint", "vendor": "getwpfunnels"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T17:44:19.354274+00:00", "value": {"mitigation_remediation": ["Upgrade the Mail Mint plugin to the latest version (greater than 1.19.4) as released by the vendor.", "If an upgrade is not immediately possible, remove or disable the plugin to eliminate the exposed vectors.", "Implement role\u2011based access controls or a web application firewall to block unauthorized requests to plugin endpoints until a patch is deployed."], "summary": {"action": "Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "The flaw affects WPFunnels Mail Mint for WordPress, versions from the initial release through 1.19.4. Any site running any version up to and including 1.19.4 is susceptible until an update is applied.", "description_and_impact": "The vulnerability arises from missing authorization checks in the WPFunnels Mail Mint plugin, allowing unauthenticated users to access privileged functionality. Because the plugin does not enforce ACLs, attackers can invoke plugin endpoints that should be restricted, potentially exposing sensitive data or performing unauthorized operations. This weakness is classified as CWE-862.", "risk_and_exploitability": "The EPSS score is below 1%, indicating a low probability of exploitation at the time of assessment, and the vulnerability is not listed in CISA\u2019s KEV catalog. The CVSS score of 7.5 indicates a high severity for this vulnerability. Nonetheless, the attack vector is likely via a direct HTTP request to the plugin\u2019s exposed endpoints, requiring only that the plugin is active and the target site is publicly reachable. Because no additional authentication is enforced, any visitor can exploit it, making it simple to attack if the plugin is present."}}}}, "created": "2026-02-20T10:11:23.242434+00:00", "updated": "2026-04-28T17:45:16.145670+00:00", "vendors": ["getwpfunnels", "getwpfunnels$PRODUCT$mail_mint", "wordpress", "wordpress$PRODUCT$wordpress"]}