A high-severity SQL Injection vulnerability in the WPFunnels Mail Mint WordPress plugin allows an attacker, likely with low-level privileges, to execute arbitrary SQL queries and exfiltrate sensitive database information.

The plugin fails to properly sanitize user-supplied input before using it in an SQL query, leading to a SQL Injection vulnerability. While the required authentication level is not specified, many plugin vulnerabilities of this type are exploitable by authenticated users with low privileges, such as a subscriber.

Rated High with a CVSS score of 7.6, this vulnerability poses a direct threat to the website's database. An attacker could extract sensitive user data (usernames, hashed passwords, PII), modify site content, or in some database configurations, escalate their attack to achieve code execution on the server. This could result in a full site compromise and a significant data breach.

Immediate Action: Update the WPFunnels Mail Mint plugin to the latest patched version immediately from the WordPress dashboard.

Proactive Monitoring: Review web server and database logs for suspicious queries containing SQL syntax like UNION, SELECT, or sleep commands. Monitor for any unauthorized creation of new administrative user accounts.

Compensating Controls: Deploy a Web Application Firewall (WAF) with a specific ruleset for WordPress that is designed to detect and block SQL Injection attacks. Ensure the database user for WordPress has the minimum necessary privileges.

Public Exploit Available: false

SQL Injection is a critical vulnerability that can lead to a complete compromise of a WordPress site. All site administrators using the Mail Mint plugin must update it to the patched version without delay to protect their user data and website integrity.