PatchSiren cyber security CVE debrief
CVE-2026-12918 getwpfunnels CVE debrief
The Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to generic SQL Injection via the 'recipients' parameter in all versions up to, and including, 1.24.1 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This vulnerability allows authenticated attackers, with administrator-level access and above, to append additional SQL queries into existing queries, potentially extracting sensitive database information. The exploitation involves a two-step process: first, a malicious payload is stored unsanitized via a POST request to /mrm/v1/campaigns/, bypassing validation due to the int-cast of string inputs like '1) OR ...' evaluating to a numeric ID; second, a GET request to /mrm/v1/campaigns/{id} deserializes recipients and passes the raw id string through array_column() into the vulnerable query.
- Vendor
- getwpfunnels
- Product
- Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails
- CVSS
- MEDIUM 4.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of the Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress, particularly those with administrator-level access and above, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is a second-order SQL injection: the malicious payload is first stored unsanitized via a POST request to /mrm/v1/campaigns/ (bypassing filter_recipients() validation because an int-cast of a string like '1) OR ...' evaluates to a real numeric ID), and is then triggered by a subsequent GET request to /mrm/v1/campaigns/{id} that deserializes the recipients and passes the raw id string through array_column() into the vulnerable query.
Defensive priority
Medium priority, as the vulnerability requires administrator-level access and above to exploit.
Recommended defensive actions
- Update the Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin to a version that fixes the SQL injection vulnerability.
- Restrict access to the plugin's functionality to prevent unauthorized users from exploiting the vulnerability.
- Monitor the plugin's logs for suspicious activity that may indicate exploitation attempts.
- Perform a thorough review of the plugin's configuration and usage to identify potential exposure.
- Implement additional monitoring and logging to detect potential exploitation attempts.
- Conduct a thorough asset inventory to identify all systems that may be affected by this vulnerability.
- Establish a rollback plan in case the update cannot be applied immediately.
Evidence notes
The vulnerability was reported by [email protected] and is described in detail on the Wordfence website. The CVE record was published on 2026-07-10T10:16:22.893Z and has not been modified since then.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T10:16:22.893Z and has not been modified since then.