Plateforme
wordpress
Composant
mail-mint
Corrigé dans
1.19.3
CVE-2026-1447 is a Cross-Site Scripting (XSS) vulnerability discovered in the Mail Mint WordPress plugin. This vulnerability allows unauthenticated attackers to potentially create or update contact notes through forged requests, leading to stored XSS attacks. The vulnerability affects versions 1.0.0 through 1.19.2 of the plugin, and a patch is available in version 1.19.3.
Successful exploitation of CVE-2026-1447 could allow an attacker to inject malicious JavaScript code into the Mail Mint plugin's database. This code could then be executed in the browsers of any user who views a page containing the injected script, such as a site administrator reviewing contact notes. The attacker could steal session cookies, redirect users to phishing sites, or deface the website. The stored nature of the XSS means the attack persists until the vulnerability is patched, potentially impacting a large number of users over time.
CVE-2026-1447 was publicly disclosed on 2026-02-03. No public proof-of-concept (POC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. Given the relatively simple nature of the XSS and the plugin's popularity, active exploitation is possible, though unconfirmed.
Websites using the Mail Mint plugin, particularly those with site administrators who are not vigilant about clicking on suspicious links, are at risk. Shared hosting environments where multiple websites share the same server resources could also be affected if one site is compromised.
• wordpress / composer / npm:
grep -r "create_or_update_note" /var/www/html/wp-content/plugins/mail-mint/• wordpress / composer / npm:
wp plugin list --status=active | grep mail-mint• wordpress / composer / npm:
wp plugin update mail-mint --alldisclosure
Statut de l'Exploit
EPSS
0.01% (percentile 1%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-1447 is to upgrade the Mail Mint plugin to version 1.19.3 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the createorupdate_note function that lack proper nonce validation. Additionally, carefully review any contact notes created or modified around the time of the vulnerability disclosure for signs of malicious code. After upgrading, confirm the vulnerability is resolved by attempting to create a contact note with a crafted request and verifying that the script is not executed.
Mettre à jour vers la version 1.19.3, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-1447 is a Cross-Site Scripting (XSS) vulnerability affecting versions 1.0.0–1.19.2 of the Mail Mint WordPress plugin, allowing attackers to inject malicious scripts.
You are affected if you are using Mail Mint plugin versions 1.0.0 through 1.19.2. Upgrade to version 1.19.3 or later to mitigate the risk.
Upgrade the Mail Mint plugin to version 1.19.3 or later. Consider implementing a WAF rule to block requests lacking nonce validation as a temporary workaround.
Active exploitation is possible, though unconfirmed. No public proof-of-concept code has been released.
Refer to the official Mail Mint plugin website or WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.