Any organization running an affected WordPress site has potentially exposed the full list of registered user email addresses to anyone on the internet, including customers, employees, or members. This data enables targeted phishing and credential stuffing campaigns against those users, creating downstream fraud liability and customer harm. Depending on the jurisdiction and the nature of the user base, this exposure may trigger breach notification obligations under GDPR, state privacy laws, or other data protection regulations, with associated legal costs and reputational damage.
You Are Affected If
You run the Mail Mint (WPFunnels) WordPress plugin at a version earlier than 1.19.5 on any WordPress installation
The affected WordPress site is internet-facing and the REST API is accessible without authentication
No WAF or IPS rule is in place to block unauthenticated access to WordPress REST API endpoints
You have registered users (customers, subscribers, employees, members) whose email addresses are stored in the WordPress user database
You have not applied the Mail Mint 1.19.5 update since the vulnerability was disclosed
Board Talking Points
An actively exploited flaw in a widely used WordPress email marketing plugin allows attackers to silently collect every registered user's email address from affected sites with no login required.
Affected sites should be patched to Mail Mint version 1.19.5 immediately — within 24 hours for internet-facing installations, given confirmed active exploitation.
Without patching, user email lists remain exposed indefinitely, increasing the probability of targeted phishing against your customers or staff and potential regulatory breach notification requirements.
GDPR — unauthenticated access to registered user email addresses constitutes unauthorized disclosure of personal data under Article 4(12), potentially triggering breach notification obligations under Article 33
CCPA/CPRA — exposure of California resident email addresses collected through a WordPress site may constitute a security breach requiring notification under Cal. Civ. Code § 1798.82
