Any organization running an affected WordPress site has potentially exposed the full list of registered user email addresses to anyone on the internet, including customers, employees, or members. This data enables targeted phishing and credential stuffing campaigns against those users, creating downstream fraud liability and customer harm. Depending on the jurisdiction and the nature of the user base, this exposure may trigger breach notification obligations under GDPR, state privacy laws, or other data protection regulations, with associated legal costs and reputational damage.
You Are Affected If
You run the Mail Mint (WPFunnels) WordPress plugin at a version earlier than 1.19.5 on any WordPress installation
The affected WordPress site is internet-facing and the REST API is accessible without authentication
No WAF or IPS rule is in place to block unauthenticated access to WordPress REST API endpoints
You have registered users (customers, subscribers, employees, members) whose email addresses are stored in the WordPress user database
You have not applied the Mail Mint 1.19.5 update since the vulnerability was disclosed
Board Talking Points
An actively exploited flaw in a widely used WordPress email marketing plugin allows attackers to silently collect every registered user's email address from affected sites with no login required.
Affected sites should be patched to Mail Mint version 1.19.5 immediately — within 24 hours for internet-facing installations, given confirmed active exploitation.
Without patching, user email lists remain exposed indefinitely, increasing the probability of targeted phishing against your customers or staff and potential regulatory breach notification requirements.
GDPR Article 33 / Article 34 — Confirmed enumeration of registered user email addresses constitutes a personal data breach. Organizations subject to GDPR must assess notification obligations to supervisory authorities (within 72 hours) and affected individuals if the breach is likely to result in high risk.
HIPAA Breach Notification Rule (45 CFR §§ 164.400–414) — If the affected WordPress installation processes or is associated with protected health information (PHI), confirmed email enumeration may trigger breach notification obligations to HHS and affected individuals.
CISA KEV Binding Operational Directive 22-01 — Federal civilian executive branch (FCEB) agencies are required to remediate all CISA KEV vulnerabilities by the specified due date. This CVE is confirmed in the CISA KEV catalog; affected federal agencies must patch on the KEV timeline regardless of internal patch cycles.
