cbcvebase.
CVE-2017-6095
published 2017-02-21

CVE-2017-6095: A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/csvexport.php (Unauthenticated) with…

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.64%
92.0th percentile
A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/csvexport.php (Unauthenticated) with the GET Parameter: list_id.

Affected

1 ranges
VendorProductVersion rangeFixed in
mail-masta_projectmail-masta

Detection & IOCsextracted from sources · hover to see the quote

path/wp-content/plugins/mail-masta/inc/lists/csvexport.php
path/wp-content/plugins/mail-masta/inc/lists/view-list.php
path/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php
path/wp-content/plugins/mail-masta/inc/campaign_save.php
urlhttp://my_wp_app/wp-content/plugins/mail-masta/inc/lists/csvexport.php?list_id=0+OR+1%3D1&pl=/var/www/html/wordpress/wp-load.php
urlhttp://my_wp_app/wp-admin/admin.php?page=masta-lists&action=view_list&filter_list=0+OR+1%3D1
urlhttp://my_wp_app/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php/?pl=/var/www/html/wordpress/wp-load.php
commandaction=my_action&url=%2Fvar%2Fwww%2Fhtml%2Fwp-content%2Fplugins%2Fmail-masta%2Finc%2Fcampaign_save.php&sender_selected_list_check=check&list_id=1+OR+1%3D1
  • Monitor unauthenticated GET requests to csvexport.php with a `list_id` parameter containing SQL injection payloads (e.g., OR 1=1, UNION SELECT). No authentication is required, making this endpoint the highest-priority detection target.
  • Detect GET requests to csvexport.php that also include a `pl` parameter pointing to a local filesystem path (e.g., /var/www/html/wordpress/wp-load.php), indicating potential local file inclusion chaining with the SQLi.
  • Detect POST requests to /wp-admin/admin-ajax.php containing `action=my_action` combined with a `url` parameter referencing the mail-masta plugin path and a `list_id` value with SQL injection syntax.
  • Monitor POST requests to count_of_send.php with a `camp_id` POST parameter containing unsanitized SQL, and a `pl` GET parameter referencing a local file path — this endpoint also exposes a local file inclusion vector via include($_GET['pl']).
  • Alert on GET requests to /wp-admin/admin.php with parameters `page=masta-lists`, `action=view_list`, and a `filter_list` value containing SQL injection patterns. This endpoint requires WordPress admin authentication.
  • ·The csvexport.php SQLi endpoint is fully unauthenticated, meaning no WordPress session or credentials are needed to exploit it. Detection rules should not filter on authentication state for this path.
  • ·The view-list.php, count_of_send.php, and campaign_save.php endpoints require WordPress admin privileges. Exploitation of these paths implies prior admin credential compromise or session hijacking.
  • ·The vulnerable plugin version is specifically 1.0. Detections should be scoped to installations where this plugin version is present.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.