[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8lc9gnJ9rXWQw8Pfa31BPi961CqQDOxzUwSq2JKdMdc":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-27349","mail-mint-email-marketing-newsletter-email-automation-woocommerce-emails-authenticated-subscriber-information-exposure","Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails \u003C= 1.19.5 - Authenticated (Subscriber+) Information Exposure","The Mail Mint – Email Marketing, Newsletter, Email Automation & WooCommerce Emails plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.19.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.","mail-mint",null,"\u003C=1.19.5","1.20.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-05-21 00:00:00","2026-05-26 19:53:13",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F807764ae-b898-416d-81ca-be2374a6d73f?source=api-prod",6,[22,23,24,25,26,27,28,29],"README.txt","app\u002FAPI\u002FActions\u002FAdmin\u002FContact\u002FContactImportAction.php","app\u002FAPI\u002FControllers\u002FAdmin\u002FAdminBaseController.php","app\u002FAPI\u002FControllers\u002FAdmin\u002FCampaignController.php","app\u002FAPI\u002FControllers\u002FAdmin\u002FFieldGroupController.php","app\u002FAPI\u002FControllers\u002FAdmin\u002FSettingBaseController.php","app\u002FAPI\u002FRoutes\u002FAdmin\u002FFieldGroupRoute.php","app\u002FAPI\u002FServer.php","researched",false,3,"# Exploitation Research Plan - CVE-2026-27349\n\n## 1. Vulnerability Summary\nThe **Mail Mint** plugin (up to 1.19.5) contains an authentication bypass\u002Fimproper authorization vulnerability in its REST API implementation. The plugin defines multiple administrative REST API endpoints under the `mrm\u002Fv1` namespace. However, the base controllers and the specific route registrations fail to implement proper capability checks.\n\nSpecifically:\n- `Mint\\MRM\\Admin\\API\\Controllers\\AdminBaseController::rest_permissions_check()` returns `true` unconditionally.\n- `Mint\\MRM\\Admin\\API\\Controllers\\SettingBaseController::rest_permissions_check()` returns `true` unconditionally.\n- `Mint\\MRM\\Admin\\API\\Routes\\FieldGroupRoute` explicitly sets `'permission_callback' => '__return_true'` for `READABLE`, `CREATABLE`, and `EDITABLE` methods.\n\nThis allows any authenticated user, such as a **Subscriber**, to access, read, and potentially modify administrative data like field groups, campaigns, and plugin settings.\n\n## 2. Attack Vector Analysis\n- **Endpoint Namespace**: `mrm\u002Fv1`\n- **Vulnerable Routes**: \n    - `\u002Fwp-json\u002Fmrm\u002Fv1\u002Ffield-groups\u002F` (Confirmed via `FieldGroupRoute.php`)\n    - `\u002Fwp-json\u002Fmrm\u002Fv1\u002Fcampaigns\u002F` (Inferred from `Server.php` and `AdminBaseController`)\n    - `\u002Fwp-json\u002Fmrm\u002Fv1\u002Fsettings\u002F` (Inferred from `Server.php` and `SettingBaseController`)\n- **HTTP Method**: `GET` (for Information Exposure)\n- **Authentication**: Required (Subscriber level or higher)\n- **Preconditions**: A valid `wp_rest` nonce must be provided in the `X-WP-Nonce` header for authenticated REST requests.\n\n## 3. Code Flow\n1. **Route Registration**: `Mint\\MRM\\Admin\\API\\Server::rest_api_init()` iterates through routes defined in `get_routes()`.\n2. **Permission Setup**: In `FieldGroupRoute::register_routes()`, the `permission_callback` is set to `__return_true`.\n3. **Request Dispatch**: When a Subscriber sends a GET request to `\u002Fwp-json\u002Fmrm\u002Fv1\u002Ffield-groups\u002F`, WordPress calls the `permission_callback`.\n4. **Bypass**: Since the callback returns `true`, the request proceeds to `FieldGroupController::get_all()`.\n5. **Data Retrieval**: `FieldGroupController::get_all()` calls `MRM\\Models\\FieldGroup::get_all()` (aliased from `ModelsFieldGroup`), which queries the database for all custom field groups and returns them to the unauthorized user.\n\n## 4. Nonce Acquisition Strategy\nTo interact with the WordPress REST API as an authenticated user, a `wp_rest` nonce is required.\n\n1.  **Login**: Use the `browser_login` tool to authenticate as a Subscriber.\n2.  **Navigate**: Navigate to the WordPress dashboard (`\u002Fwp-admin\u002F`).\n3.  **Extraction**: Use `browser_eval` to extract the REST nonce from the default WordPress `wpApiSettings` object.\n    - **JavaScript**: `window.wpApiSettings.nonce`\n4.  **Action**: Use this nonce in the `X-WP-Nonce` header for all subsequent `http_request` calls.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that a Subscriber can access sensitive \"Field Group\" data created by an administrator.\n\n### Step 1: Unauthorized Information Retrieval\n- **Tool**: `http_request`\n- **Method**: `GET`\n- **URL**: `\u002Fwp-json\u002Fmrm\u002Fv1\u002Ffield-groups\u002F`\n- **Headers**:\n    - `X-WP-Nonce: [EXTRACTED_NONCE]`\n    - `Content-Type: application\u002Fjson`\n- **Expected Response**: A `200 OK` status with a JSON array containing the \"Secret Field Group\" details created during setup.\n\n### Step 2: Unauthorized Settings Retrieval (Secondary)\n- **Method**: `GET`\n- **URL**: `\u002Fwp-json\u002Fmrm\u002Fv1\u002Fsettings\u002F`\n- **Headers**:\n    - `X-WP-Nonce: [EXTRACTED_NONCE]`\n- **Expected Response**: Configuration data for the Mail Mint plugin.\n\n## 6. Test Data Setup\nBefore exploitation, administrative data must exist to be exposed:\n1.  **Create Subscriber**: Use WP-CLI to create a user with the `subscriber` role.\n2.  **Create Sensitive Data**: Use WP-CLI (or `browser_eval` as admin) to create a dummy field group.\n    ```bash\n    # Example using wp eval to simulate admin creating a group\n    wp eval \"use MRM\\Models\\FieldGroup; use MRM\\Data\\FieldGroup as DataFieldGroup; \\$fg = new DataFieldGroup(['title' => 'Internal Sales Leads', 'description' => 'Confidential lead data']); MRM\\Models\\FieldGroup::insert(\\$fg);\"\n    ```\n3.  **Verify Setup**: Confirm the data exists in the database.\n\n## 7. Expected Results\n- **Success Criteria**: The Subscriber receives a JSON response containing the string \"Internal Sales Leads\".\n- **Status Code**: `200 OK` (If restricted, it would return `401 Unauthorized` or `403 Forbidden`).\n- **Data Content**: The response should reveal `id`, `title`, and `description` of field groups that should only be visible to administrators.\n\n## 8. Verification Steps\n1.  **Check Response**: Inspect the JSON returned by the `http_request` tool for the \"Internal Sales Leads\" field group.\n2.  **Database Comparison**: Run `wp db query \"SELECT * FROM wp_mrm_field_groups;\"` (table name inferred from plugin prefix) and compare the results with the REST API output.\n\n## 9. Alternative Approaches\nIf the `field-groups` endpoint is blocked for some reason, attempt to access the `campaigns` endpoint:\n- **URL**: `\u002Fwp-json\u002Fmrm\u002Fv1\u002Fcampaigns\u002F`\n- **Logic**: Inherits from `AdminBaseController` which defines `rest_permissions_check() { return true; }`. This should leak campaign titles and sender emails.\n\nAnother high-impact target is the `contact-import` list:\n- **URL**: `\u002Fwp-json\u002Fmrm\u002Fv1\u002Fcontact-import\u002F` (GET)\n- **Check**: Look for any methods in `ContactImportAction.php` that return MailChimp configuration or list data.","The Mail Mint plugin exposes sensitive administrative information through its REST API due to improper authorization checks in several base controllers and route definitions. Authenticated users, including those with Subscriber-level permissions, can access and potentially modify field groups, campaign data, and plugin settings by querying the 'mrm\u002Fv1' namespace.","\u002F\u002F app\u002FAPI\u002FControllers\u002FAdmin\u002FAdminBaseController.php\nabstract class AdminBaseController extends BaseController {\n\tpublic function rest_permissions_check() {\n\t\treturn true;\n\t}\n}\n\n---\n\n\u002F\u002F app\u002FAPI\u002FControllers\u002FAdmin\u002FSettingBaseController.php\nabstract class SettingBaseController extends \\WP_REST_Controller {\n\tpublic function rest_permissions_check() {\n        return true;\n\t}\n}\n\n---\n\n\u002F\u002F app\u002FAPI\u002FRoutes\u002FAdmin\u002FFieldGroupRoute.php\nregister_rest_route(\n\t$this->namespace,\n\t'\u002F' . $this->rest_base . '\u002F',\n\tarray(\n\t\tarray(\n\t\t\t'methods'             => WP_REST_Server::CREATABLE,\n\t\t\t'callback'            => array($this->controller, 'create_or_update'),\n\t\t\t'permission_callback' => '__return_true',\n\t\t),\n\t\tarray(\n\t\t\t'methods'             => \\WP_REST_Server::READABLE,\n\t\t\t'callback'            => array($this->controller, 'get_all'),\n\t\t\t'permission_callback' => '__return_true',\n\t\t),\n\t)\n);","diff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmail-mint\u002F1.19.5\u002Fapp\u002FAPI\u002FControllers\u002FAdmin\u002FAdminBaseController.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmail-mint\u002F1.20.0\u002Fapp\u002FAPI\u002FControllers\u002FAdmin\u002FAdminBaseController.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmail-mint\u002F1.19.5\u002Fapp\u002FAPI\u002FControllers\u002FAdmin\u002FAdminBaseController.php\t2024-12-06 09:53:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmail-mint\u002F1.20.0\u002Fapp\u002FAPI\u002FControllers\u002FAdmin\u002FAdminBaseController.php\t2026-03-16 08:49:44.000000000 +0000\n@@ -29,6 +29,13 @@\n \t * @since 1.0.0\n \t *\u002F\n     public function rest_permissions_check() {\n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\treturn new \\WP_Error(\n+\t\t\t\t'rest_forbidden',\n+\t\t\t\t__( 'Sorry, you are not authorized to perform this action.', 'mrm' ),\n+\t\t\t\tarray( 'status' => rest_authorization_required_code() )\n+\t\t\t);\n+\t\t}\n \t\treturn true;\n \t}\n }\ndiff -ru \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmail-mint\u002F1.19.5\u002Fapp\u002FAPI\u002FControllers\u002FAdmin\u002FSettingBaseController.php \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmail-mint\u002F1.20.0\u002Fapp\u002FAPI\u002FControllers\u002FAdmin\u002FSettingBaseController.php\n--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmail-mint\u002F1.19.5\u002Fapp\u002FAPI\u002FControllers\u002FAdmin\u002FSettingBaseController.php\t2024-12-06 09:53:00.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Fmail-mint\u002F1.20.0\u002Fapp\u002FAPI\u002FControllers\u002FAdmin\u002FSettingBaseController.php\t2026-03-16 08:49:44.000000000 +0000\n@@ -97,7 +97,14 @@\n \t * @since 1.0.0\n \t *\u002F\n \tpublic function rest_permissions_check() {\n-\t\treturn true;\n+\t\tif ( ! current_user_can( 'manage_options' ) ) {\n+\t\t\treturn new \\WP_Error(\n+\t\t\t\t'rest_forbidden',\n+\t\t\t\t__( 'Sorry, you are not authorized to perform this action.', 'mrm' ),\n+\t\t\t\tarray( 'status' => rest_authorization_required_code() )\n+\t\t\t);\n+\t\t}\n+\t\treturn true;\n \t}","To exploit this vulnerability, an attacker first authenticates as a Subscriber-level user and obtains a valid REST API nonce (X-WP-Nonce) from the dashboard. The attacker then sends a GET request to administrative endpoints such as \u002Fwp-json\u002Fmrm\u002Fv1\u002Ffield-groups\u002F, \u002Fwp-json\u002Fmrm\u002Fv1\u002Fcampaigns\u002F, or \u002Fwp-json\u002Fmrm\u002Fv1\u002Fsettings\u002F. Because the plugin's permission callbacks for these routes and their base controllers return true for any logged-in user without checking for administrative capabilities (manage_options), the plugin returns sensitive configuration data, user-defined custom field groups, or email campaign details that should only be accessible to administrators.","gemini-3-flash-preview","2026-06-04 22:30:09","2026-06-04 22:30:41",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","1.19.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmail-mint\u002Ftags\u002F1.19.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmail-mint.1.19.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmail-mint\u002Ftags\u002F1.20.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmail-mint.1.20.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmail-mint\u002Ftags"]