PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-12918 getwpfunnels CVE debrief

The Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to generic SQL Injection via the 'recipients' parameter in all versions up to, and including, 1.24.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This vulnerability allows authenticated attackers, with administrator-level access and above, to append additional SQL queries into existing queries, potentially extracting sensitive database information. The exploitation involves a two-step process: first, a malicious payload is stored unsanitized via a POST request to /mrm/v1/campaigns/, bypassing validation due to the int-cast of string inputs like '1) OR ...' evaluating to a numeric ID; second, a GET request to /mrm/v1/campaigns/{id} deserializes recipients and passes the raw id string through array_column() into the vulnerable query.

Vendor
getwpfunnels
Product
Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails
CVSS
MEDIUM 4.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of the Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress, particularly those with administrator-level access and above, should be aware of this vulnerability and take steps to mitigate it.

Technical summary

The vulnerability is a second-order SQL injection: the malicious payload is first stored unsanitized via a POST request to /mrm/v1/campaigns/ (bypassing filter_recipients() validation because an int-cast of a string like '1) OR ...' evaluates to a real numeric ID), and is then triggered by a subsequent GET request to /mrm/v1/campaigns/{id} that deserializes the recipients and passes the raw id string through array_column() into the vulnerable query.

Defensive priority

Medium priority, as the vulnerability requires administrator-level access and above to exploit.

Recommended defensive actions

  • Update the Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin to a version that fixes the SQL injection vulnerability.
  • Restrict access to the plugin's functionality to prevent unauthorized users from exploiting the vulnerability.
  • Monitor the plugin's logs for suspicious activity that may indicate exploitation attempts.
  • Perform a thorough review of the plugin's configuration and usage to identify potential exposure.
  • Implement additional monitoring and logging to detect potential exploitation attempts.
  • Conduct a thorough asset inventory to identify all systems that may be affected by this vulnerability.
  • Establish a rollback plan in case the update cannot be applied immediately.

Evidence notes

The vulnerability was reported by [email protected] and is described in detail on the Wordfence website. The CVE record was published on 2026-07-10T10:16:22.893Z and has not been modified since then.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T10:16:22.893Z and has not been modified since then.