CVE-2026-23541
Published: 19 February 2026
Summary
CVE-2026-23541 is a high-severity Missing Authorization (CWE-862) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2026-23541 is a missing authorization vulnerability (CWE-862) in the WPFunnels Mail Mint WordPress plugin, enabling access to functionality not properly constrained by access control lists (ACLs). This issue affects Mail Mint versions from n/a through 1.19.4 inclusive. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high severity due to its network accessibility and confidentiality impact.
Unauthenticated attackers with network access can exploit the vulnerability with low attack complexity and no user interaction. Exploitation allows unauthorized access to constrained functionality, resulting in high confidentiality impact without affecting integrity or availability.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/mail-mint/vulnerability/wordpress-mail-mint-plugin-1-19-4-broken-access-control-vulnerability?_s_id=cve provides details on this broken access control issue in the Mail Mint plugin version 1.19.4.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-7944
Vulnerability details
Missing Authorization vulnerability in WPFunnels Mail Mint mail-mint allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Mail Mint: from n/a through <= 1.19.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) in public-facing WordPress plugin directly enables remote exploitation of constrained functionality without authentication.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 mandates enforcement of approved authorizations for access to system resources, directly countering the missing authorization checks in Mail Mint that allow unauthenticated access to constrained functionality.
AC-24 requires explicit access control decisions for system resources based on defined personnel or roles, addressing the improper ACL constraints exploited in this CVE.
AC-6 enforces least privilege principles, limiting access to Mail Mint plugin functionality to only necessary privileges and mitigating unauthorized exploitation.