CVE-2026-1258

Name of the Vulnerable Software and Affected Versions Mail Mint versions prior to 1.19.3

Description The Mail Mint plugin for WordPress is susceptible to blind SQL Injection. This is due to inadequate escaping of user-supplied parameters and insufficient preparation of existing SQL queries. Specifically, the 'order-by', 'order-type', and 'selectedCourses' parameters in the following API endpoints are vulnerable: 'forms', 'automation', 'email/templates', and 'contacts/import/tutorlms/map'. An authenticated attacker with administrator-level access or higher can append additional SQL queries to existing ones.

Recommendations Update Mail Mint to version 1.19.3 or later.