Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more < 1.19.5 - Unauthenticated Information Disclosure
Description
The Mail Mint – Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to 1.19.5 (exclusive). This makes it possible for unauthenticated attackers to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
What Changed in the Fix
Changes introduced in v1.19.5
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-2025 (Mail Mint Information Disclosure) ## 1. Vulnerability Summary The **Mail Mint** plugin (versions < 1.19.5) contains a sensitive information disclosure vulnerability within its REST API implementation. The plugin registers several administrative helper ro…
Show full research plan
Exploitation Research Plan: CVE-2026-2025 (Mail Mint Information Disclosure)
1. Vulnerability Summary
The Mail Mint plugin (versions < 1.19.5) contains a sensitive information disclosure vulnerability within its REST API implementation. The plugin registers several administrative helper routes designed to fetch WordPress data (admins, pages, posts, products) but fails to implement any authorization checks. Specifically, in app/API/Routes/Admin/WPRoute.php, the routes use 'permission_callback' => '__return_true', allowing any unauthenticated user to query the endpoints and retrieve site data that should be restricted to administrators.
2. Attack Vector Analysis
- Endpoint:
/wp-json/mrm/v1/wp/admins(and other sub-routes undermrm/v1/wp/) - Method:
GET - Authentication: None required (Unauthenticated).
- Preconditions: The plugin must be active. No specific configuration is required as the routes are registered on
rest_api_init. - Vulnerable Parameters: None (the entire endpoint is exposed).
3. Code Flow
- Entry Point: The WordPress REST API receives a request to
wp-json/mrm/v1/wp/admins. - Route Registration: In
app/API/Routes/Admin/WPRoute.php, theregister_routes()method (Line 52) defines the routes. - Authorization Check: For the
adminsroute (Line 132), the configuration is:register_rest_route( $this->namespace, '/' . $this->rest_base . '/admins', array( array( 'methods' => \WP_REST_Server::READABLE, 'callback' => array( $this->controller, 'get_admins' ), 'permission_callback' => '__return_true', // <--- VULNERABILITY ), ) ); - Callback Execution: Because
__return_truealways returnstrue, the REST server proceeds to execute the callbackWPController::get_adminswithout checking if the requester has administrative privileges. - Sink: The controller fetches a list of administrator users (likely using
get_users(array('role' => 'administrator'))) and returns them in the JSON response.
4. Nonce Acquisition Strategy
No nonce is required.
The vulnerability stems from the use of 'permission_callback' => '__return_true'. In the WordPress REST API, if the permission callback returns true, the request is processed immediately without requiring a X-WP-Nonce header or authentication cookies.
5. Exploitation Strategy
The exploit involves making simple GET requests to the exposed endpoints via the http_request tool.
Request 1: Disclosing Administrators
- URL:
{{base_url}}/wp-json/mrm/v1/wp/admins - Method:
GET - Headers:
Content-Type: application/json - Expected Payload: None.
Request 2: Disclosing Pages (Potential Private/Draft Exposure)
- URL:
{{base_url}}/wp-json/mrm/v1/wp/pages - Method:
GET - Headers:
Content-Type: application/json
Request 3: Disclosing Posts
- URL:
{{base_url}}/wp-json/mrm/v1/wp/posts - Method:
GET - Headers:
Content-Type: application/json
6. Test Data Setup
To demonstrate the impact of the disclosure, the test environment should contain:
- Users: At least one administrator user (e.g., username:
security_admin, email:admin@example.com). - Content: Create at least one "Private" page or "Draft" post to determine if the
get_pages/get_postscontrollers filter by status or if they return all entries.wp post create --post_type=page --post_title='Secret Internal Page' --post_status=private --post_content='This is sensitive content.'
7. Expected Results
- Response Code:
200 OK - Response Body: A JSON array containing objects representing WordPress users/posts.
- Success Criteria: The response to
/wp/adminsmust contain at least the username, ID, and potentially the email or display name of the site administrator.
8. Verification Steps
- Compare IDs: Run
wp user list --role=administrator --fields=ID,user_loginvia WP-CLI. - Cross-Reference: Verify that the IDs and usernames returned in the HTTP response match the output from the WP-CLI command.
- Check Sensitivity: If emails are returned in the JSON, confirm they are not publicly available through standard WordPress endpoints (like
/wp-json/wp/v2/users).
9. Alternative Approaches
If /wp/admins is blocked or restricted by a WAF, try the other registered sub-routes identified in WPRoute.php:
mrm/v1/wp/products(If WooCommerce is installed)mrm/v1/wp/categoriesmrm/v1/wp/tagsmrm/v1/wp/pagesmrm/v1/wp/posts
Note: The wp/admins endpoint is the highest priority as user disclosure typically carries the most weight in "Sensitive Information Exposure" vulnerabilities.
Summary
The Mail Mint plugin for WordPress contains multiple unauthenticated REST API endpoints that disclose sensitive information about the site. Due to the use of '__return_true' as a permission callback, any unauthorized visitor can retrieve lists of site administrators, pages, posts, and products.
Vulnerable Code
// app/API/Routes/Admin/WPRoute.php line 52 public function register_routes() { $this->controller = WPController::get_instance(); // Get wp pages api endpoint register_rest_route( $this->namespace, '/' . $this->rest_base . '/pages', array( array( 'methods' => \WP_REST_Server::READABLE, 'callback' => array( $this->controller, 'get_pages', ), 'permission_callback' => '__return_true', ), ) ); --- // app/API/Routes/Admin/WPRoute.php line 125 register_rest_route( $this->namespace, '/' . $this->rest_base . '/admins', array( array( 'methods' => \WP_REST_Server::READABLE, 'callback' => array( $this->controller, 'get_admins' ), 'permission_callback' => '__return_true', ), ) );
Security Fix
@@ -146,7 +146,7 @@ array( 'methods' => \WP_REST_Server::READABLE, 'callback' => array( $this->controller, 'get_admins' ), - 'permission_callback' => '__return_true', + 'permission_callback' => PermissionManager::current_user_can( 'manage_options' ), ), ) );
Exploit Outline
The exploit is a direct unauthenticated GET request to the plugin's exposed REST API endpoints. An attacker does not need a login or a nonce. By hitting `{{base_url}}/wp-json/mrm/v1/wp/admins`, the attacker can retrieve a JSON list of all WordPress administrators, including their usernames and IDs. Similar requests can be made to `/wp-json/mrm/v1/wp/pages` and `/wp-json/mrm/v1/wp/posts` to disclose potentially non-public content metadata.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.