cbcvebase.
CVE-2016-10956
published 2019-09-16

CVE-2016-10956: The mail-masta plugin 1.0 for WordPress has local file inclusion in count_of_send.php and csvexport.php.

PriorityP357high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
10.58%
95.2th percentile
The mail-masta plugin 1.0 for WordPress has local file inclusion in count_of_send.php and csvexport.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
mail-masta_projectmail-masta

Detection & IOCsextracted from sources · hover to see the quote

url/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd
url/wp-content/plugins/mail-masta/inc/lists/csvexport.php?pl=/etc/passwd
path/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php
path/wp-content/plugins/mail-masta/inc/lists/csvexport.php
yara
rule CVE_2016_10956_LFI_response { strings: $passwd = /root:.*:0:0:/ condition: $passwd }
  • Detect exploitation attempts by monitoring GET requests to the vulnerable LFI parameter `?pl=` on count_of_send.php or csvexport.php within the mail-masta plugin path.
  • Responses containing the pattern `root:.*:0:0:` in the HTTP body indicate successful LFI exploitation and /etc/passwd file disclosure.
  • Use the Google dork `inurl:"/wp-content/plugins/mail-masta"` to identify exposed WordPress instances running the vulnerable plugin.
  • HTTP 200 or 500 response codes combined with LFI payload in the `pl` parameter are considered indicators of a successful or attempted exploit.
  • ·The LFI parameter is `pl` — both vulnerable scripts (count_of_send.php and csvexport.php) accept this parameter for file inclusion. Detection rules should target this specific parameter name.
  • ·The nuclei template uses `stop-at-first-match: true`, meaning only one of the two endpoints needs to be vulnerable for a positive detection — defenders should check both endpoints independently.
  • ·No authentication is required to exploit this vulnerability (PR:N, UI:N per CVSS), meaning unauthenticated HTTP GET requests are sufficient for exploitation.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.