The Mail Mint plugin for WordPress, used for newsletters, email marketing, automation, WooCommerce emails, and post notifications, contains a CSRF vulnerability identified as CVE-2026-1447. This vulnerability exists in all versions up to and including 1.19.2 due to the absence of nonce validation in the create_or_update_note function. Nonce validation is a critical security measure in WordPress to prevent unauthorized actions by verifying the legitimacy of requests. Without this protection, attackers can craft malicious requests that, when executed by an authenticated administrator (via clicking a link or visiting a malicious page), allow the attacker to create or update contact notes arbitrarily. Furthermore, the plugin fails to properly sanitize and escape input data, which can lead to stored Cross-Site Scripting (XSS) attacks. Stored XSS can enable attackers to execute arbitrary JavaScript in the context of the administrator’s browser, potentially leading to session hijacking, privilege escalation, or further compromise of the WordPress site. The vulnerability requires no authentication by the attacker but does require user interaction from an administrator, making exploitation somewhat dependent on social engineering. The CVSS v3.1 base score is 5.4, reflecting medium severity with network attack vector, low attack complexity, no privileges required, user interaction required, and limited impact on confidentiality and integrity but no impact on availability. No patches or exploits are currently publicly available, but the risk remains significant due to the widespread use of WordPress and the plugin’s role in managing sensitive marketing and customer data.

This vulnerability can lead to unauthorized modification of contact notes within the Mail Mint plugin, potentially corrupting or manipulating customer data critical for marketing and communication. The stored XSS risk further elevates the threat by enabling persistent malicious scripts that can compromise administrator sessions, steal credentials, or pivot to deeper system compromise. Organizations relying on this plugin may face data integrity issues, reputational damage, and increased risk of broader WordPress site compromise. Since the attack requires administrator interaction, social engineering campaigns could be used to facilitate exploitation. The impact is particularly concerning for e-commerce sites using WooCommerce integration, where customer trust and data protection are paramount. Although availability is not affected, the confidentiality and integrity of sensitive marketing and customer information are at risk, which could lead to regulatory compliance issues and financial losses.

Administrators should immediately update the Mail Mint plugin to a version that includes nonce validation and proper input sanitization once available. Until a patch is released, applying Web Application Firewall (WAF) rules to detect and block suspicious POST requests targeting the create_or_update_note function can reduce risk. Implementing strict Content Security Policy (CSP) headers can help mitigate the impact of stored XSS by restricting script execution. Educate administrators about the risks of clicking unknown or suspicious links to reduce social engineering success. Regularly audit and monitor logs for unusual activity related to contact note modifications. Consider isolating or restricting administrative access to trusted networks and devices to limit exposure. Finally, review and harden WordPress security configurations, including limiting plugin permissions and ensuring all other plugins and the core WordPress installation are up to date.