CVE-2025-59570: 
WordPress vulnerability analysis and mitigation

A SQL Injection vulnerability (CVE-2025-59570) was discovered in the WordPress Mail Mint plugin affecting versions through 1.18.6. The vulnerability was reported by Le Cong Danh (vodanh) on September 3, 2025, and was publicly disclosed on September 22, 2025. The issue specifically involves improper neutralization of special elements used in SQL commands within the WPFunnels Mail Mint plugin (Patchstack).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). It received a CVSS v3.1 score of 7.6 (High), with the following vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L. The vulnerability requires administrator privileges to exploit (Patchstack).

This vulnerability could allow a malicious actor with administrator access to directly interact with the database, potentially leading to unauthorized data access and information theft. The high CVSS score indicates significant potential for data compromise, although the attack scope is somewhat limited by the requirement for administrator privileges (Patchstack).

The vulnerability has been patched in version 1.18.7 of the Mail Mint plugin. Users are advised to update to version 1.18.7 or later to remediate the vulnerability. Patchstack users have the option to enable auto-updates for vulnerable plugins as an additional security measure (Patchstack).