CVE-2026-2025 is a vulnerability classified under CWE-200 (Information Exposure) affecting the Mail Mint WordPress plugin prior to version 1.19.5. The root cause is the absence of authorization checks on one of the plugin's REST API endpoints. This flaw allows unauthenticated attackers to invoke the endpoint and retrieve email addresses of users registered on the WordPress site. The exposed data primarily includes user email addresses, which are sensitive personal information. The vulnerability arises because the REST API endpoint was designed without proper access control, violating the principle of least privilege. Since WordPress powers a significant portion of websites globally, and Mail Mint is a popular plugin for managing email subscriptions and newsletters, many sites could be vulnerable if they have not updated the plugin. The vulnerability does not require any authentication or user interaction, making it trivially exploitable by remote attackers. No CVSS score has been assigned yet, and no public exploits have been reported. However, the exposure of user emails can lead to secondary attacks such as phishing, spam, or social engineering, potentially compromising user privacy and trust. The vulnerability was publicly disclosed in March 2026, with the patch version 1.19.5 addressing the issue by implementing proper authorization checks on the REST API endpoint.

The primary impact of this vulnerability is the unauthorized disclosure of user email addresses, which compromises confidentiality. This exposure can facilitate phishing attacks, spam distribution, and social engineering campaigns targeting users of the affected WordPress sites. Organizations relying on Mail Mint for email subscription management risk reputational damage and loss of user trust if their users' email addresses are leaked. While the vulnerability does not directly affect system integrity or availability, the indirect consequences of successful phishing or targeted attacks could lead to broader security incidents, including credential theft or malware infections. The ease of exploitation—requiring no authentication or user interaction—means attackers can automate the harvesting of email addresses at scale. This increases the likelihood of widespread abuse, especially for high-profile blogs or websites with large user bases. The lack of known exploits in the wild currently limits immediate risk, but the vulnerability remains a significant concern until patched.

To mitigate this vulnerability, organizations should promptly update the Mail Mint plugin to version 1.19.5 or later once it is released, as this version includes the necessary authorization checks on the REST API endpoint. Until the patch is applied, administrators can restrict access to the vulnerable REST API endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests to the specific API path. Additionally, limiting REST API access to authenticated users only or IP whitelisting trusted sources can reduce exposure. Site owners should audit their WordPress plugins regularly to ensure they are up to date and monitor logs for unusual API access patterns. Educating users about phishing risks and encouraging the use of multi-factor authentication can help mitigate the impact of any leaked email addresses. Finally, disabling unused REST API endpoints or restricting REST API access globally via plugin or server configuration can provide an additional security layer.