PatchSiren cyber security CVE debrief
CVE-2026-27349 WPFunnels Team CVE debrief
CVE-2026-27349 is a medium-severity information disclosure issue affecting the Mail Mint WordPress plugin, with reported impact through version 1.19.5. The available data indicates that the flaw can expose embedded sensitive system information to an unauthorized control sphere, which may increase the risk of follow-on attacks if exposed data is reused elsewhere. The CVSS vector shows network attackability, low privileges required, no user interaction, and confidentiality impact only.
- Vendor
- WPFunnels Team
- Product
- Mail Mint
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-21
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-21
- Advisory updated
- 2026-05-21
Who should care
Administrators and security teams responsible for WordPress sites running Mail Mint should review this advisory, especially if the plugin is enabled on production systems or handles configuration, credentials, or other embedded sensitive data. Hosting providers and managed WordPress operators should also prioritize checking fleet exposure.
Technical summary
The NVD record classifies the issue as CWE-497, Exposure of Sensitive System Information to an Unauthorized Control Sphere. The provided CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating a remotely reachable issue requiring low privileges, with confidentiality impact but no direct integrity or availability impact. The source reference points to a Patchstack advisory for the Mail Mint plugin and reports affected versions from n/a through 1.19.5.
Defensive priority
Medium. This is not rated as critical and is not marked as known-exploited, but it still warrants timely review because information disclosure can enable credential harvesting, environment mapping, or chained exploitation.
Recommended defensive actions
- Confirm whether Mail Mint is installed and whether any instances are at version 1.19.5 or earlier.
- Review the vendor or Patchstack advisory for the fixed version and apply the remediation path as soon as it is available.
- Audit exposed configuration, logs, and any plugin-generated data for sensitive values that may have been disclosed.
- Restrict WordPress administrative access and minimize low-privilege accounts that can reach sensitive plugin functions.
- Monitor for suspicious access patterns or requests touching Mail Mint endpoints and related plugin data.
- If sensitive information may have been exposed, rotate any credentials, tokens, or secrets that could be affected.
Evidence notes
The conclusion is based on the supplied NVD record, which includes the CVSS vector, CWE-497 classification, and a Patchstack reference. No exploit details, proof-of-concept code, or unsupported remediation version was inferred beyond the stated affected range through 1.19.5.
Official resources
-
CVE-2026-27349 CVE record
CVE.org
-
CVE-2026-27349 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
Publicly disclosed in the CVE record on 2026-05-21. No KEV listing was provided in the source corpus.