Mail Mint, an email marketing plugin active on over 20,000 WordPress sites, had an unauthenticated REST API endpoint in versions prior to 1.19.5 that let anyone enumerate the email addresses of every registered user on the site. No login required. One curl command.
What the vulnerability does
The plugin registers a route at /wp-json/mrm/v1/wp/admins — intended to power an autocomplete field in the campaign email builder, where admins pick a “from” address. The problem is how the endpoint is protected. Or rather, how it isn’t.
In app/API/Routes/Admin/WPRoute.php, the permission callback is set to __return_true:
'permission_callback' => '__return_true',
__return_true is a legitimate WordPress built-in, used for genuinely public endpoints (e.g. a newsletter subscribe form). Here, it means the endpoint accepts requests from absolutely anyone on the internet, logged in or not.
The handler in WPController.php then calls get_users() with a wildcard search:
$args = array(
'search' => '*' . esc_attr($term) . '*',
'fields' => array('ID', 'user_email')
);
$users = get_users($args);No role argument. Despite the function being named get_admins, it returns subscribers, editors, customers, administrators — everyone in wp_users whose login, display name, or email contains the search term. By iterating through the alphabet, an attacker can harvest the full user list:
for char in {a..z} {0..9}; do
curl -s "https://target.com/wp-json/mrm/v1/wp/admins?term=$char" | jq -r '.admins[].label'
done | sort -uThat loop returns every email address on the site. On a WooCommerce store with thousands of customers, it silently exports the entire customer email list.
The rest of the plugin handles authentication correctly. Other routes use a PermissionManager pattern — ContactRoute.php, for example, uses PermissionManager::current_user_can('mint_read_contacts'), which returns a proper 401 for unauthenticated requests. The /wp/admins route simply skipped it.
Checking if you’re affected
Any installation running Mail Mint below version 1.19.5 with the plugin active is vulnerable. You can confirm by checking your installed version in the WordPress admin under Plugins, or by using WP CLI:
wp plugin get mail-mint --field=version --path=/your/wordpress/path
You can also test the endpoint directly. On an affected site, this will return user data:
curl -s "https://your-site.com/wp-json/mrm/v1/wp/admins?term=a"
A patched site returns a 401 or an empty response without authentication.
What to do
Update to Mail Mint 1.19.5 or later. The patch adds a proper permission check to the route, restricting access to authenticated users with the mint_read_contacts capability.
If you manage multiple sites, check whether any are running an older version — particularly WooCommerce stores where Mail Mint would have been ingesting customer data. The endpoint requires no special configuration to be exploitable; if the plugin is active and the version is below 1.19.5, the user list is exposed.
There’s no evidence of this being exploited at scale before disclosure, but the simplicity of the attack (a single unauthenticated GET request, no tooling required) means the window between disclosure and exploitation tends to be short.