CVE-2017-6095

CRITICAL

Mail Masta 1.0 - Unauthenticated SQL Injection via list_id Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-6095. PoCs published by Hanley Shun.

AI-analyzed exploit summary This exploit demonstrates multiple SQL injection vulnerabilities in the Mail Masta WordPress plugin version 1.0. It includes unauthenticated and authenticated SQLi vectors via GET and POST parameters, with clear examples of malicious payloads.

Description

A SQL injection issue was discovered in the Mail Masta (aka mail-masta) plugin 1.0 for WordPress. This affects /inc/lists/csvexport.php (Unauthenticated) with the GET Parameter: list_id.

Exploits (1)

exploitdb WORKING POC

by Hanley Shun · textwebappsphp

https://www.exploit-db.com/exploits/41438

View Code ZIP pw:eip

This exploit demonstrates multiple SQL injection vulnerabilities in the Mail Masta WordPress plugin version 1.0. It includes unauthenticated and authenticated SQLi vectors via GET and POST parameters, with clear examples of malicious payloads.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Mail Masta WordPress plugin 1.0

No auth needed

Prerequisites: Access to the target WordPress site · Mail Masta plugin version 1.0 installed

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit x_refsource_misc

https://wpvulndb.com/vulnerabilities/8740

Exploit, Third Party Advisory x_refsource_misc

https://github.com/hamkovic/Mail-Masta-Wordpress-Plugin

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/41438/

Scores

CVSS v3 9.8

EPSS 0.0564

EPSS Percentile 91.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

mail-masta_project/mail-masta 1.0

Published Feb 21, 2017

Tracked Since Feb 18, 2026