Mail Mint <= 1.19.2 - Cross-Site Request Forgery to Stored Cross-Site Scripting Key Vulnerability Information CVE: CVE-2026-1447 CVSS: 5.4 (Medium) Publicly Published: February 2, 2026 Last Updated: February 3, 2026 Researcher: w41bu1 - VNPT Cyber Immunity Vulnerability Details Description: The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This allows unauthenticated attackers to create or update contact notes via a forged request, leading to stored Cross-Site Scripting. References - plugins.trac.wordpress.org Affected Version: <= 1.19.2 Patched Version: 1.19.3 Remediation Patched?: Yes Remediation: Update to version 1.19.3, or a newer patched version.