What the vulnerability does
01Description
Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4.
CVE-2026-23541
HIGH
CVE-2026-23541: WordPress Mail Mint plugin <= 1.19.4 - Broken Access Control vulnerability
CVSS base score
7.5/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Explanation of Vulnerability in Simple Terms
02Summary
Mail Mint versions up to 1.19.4 lack proper authorization checks, allowing unauthenticated attackers to read sensitive data through the application. The vulnerability requires only network access and no user interaction. An attacker can retrieve confidential information without needing valid credentials or special privileges.
What an attacker can do
03Attacker Capabilities
Read sensitive data from Mail Mint without authentication.
Potential impact on your site
04Site Impact
Confidential data stored in Mail Mint may be exposed to unauthorized parties.
Conditions required to exploit
05Prerequisites
Network access to the Mail Mint application; no authentication required.
Key dates
06Disclosure timeline
February 19, 2026
CVE published
April 28, 2026
Record updated
External resources
07References
Related vulnerabilities
08Related CVE
CVE-2026-50108 Naxclow IoT Platform Missing Authorization
CVE-2023-36506 WordPress YITH WooCommerce Waitlist plugin <= 2.13.0 - Broken Access Control vulnerability
CVE-2025-64638 WordPress OnPay.io for WooCommerce plugin <= 1.0.47 - Broken Access Control vulnerability
CVE-2025-32178 WordPress 6Storage Rentals plugin <= 2.20.2 - Broken Access Control vulnerability
CVE-2026-39705 WordPress MIPL WC Multisite Sync plugin <= 1.4.4 - Broken Access Control vulnerability
