PatchSiren cyber security CVE debrief

CVE-2017-6095 Mail Masta Project CVE debrief

CVE-2017-6095 is a critical SQL injection vulnerability in the Mail Masta (mail-masta) WordPress plugin version 1.0. The NVD record states that the issue affects /inc/lists/csvexport.php and can be triggered without authentication through the list_id GET parameter. Because the flaw is network-reachable and requires no privileges or user interaction, it presents a high-risk exposure for any WordPress site still running the affected plugin version.

Vendor: Mail Masta Project
Product: CVE-2017-6095
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-21
Original CVE updated: 2026-05-13
Advisory published: 2017-02-21
Advisory updated: 2026-05-13

Who should care

WordPress administrators, site owners, plugin maintainers, and security teams responsible for externally exposed WordPress instances should treat this as urgent if Mail Masta 1.0 is installed. Any environment that relies on the plugin for mailing-list handling or CSV export should verify whether the vulnerable component is present.

Technical summary

The supplied NVD data identifies a CWE-89 SQL injection in Mail Masta Project's mail-masta 1.0 for WordPress. The vulnerable endpoint is /inc/lists/csvexport.php, and the exploitable input is the unauthenticated GET parameter list_id. NVD rates the issue CVSS 3.0 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating that successful exploitation could lead to full compromise of confidentiality, integrity, and availability within the application's database context.

Defensive priority

Immediate. This is a critical, unauthenticated remote injection flaw in an internet-facing WordPress plugin, with a CVSS score of 9.8 and broad impact potential.

Recommended defensive actions

Inventory WordPress installations to determine whether Mail Masta 1.0 is installed or active.
Remove or disable the vulnerable plugin if it is no longer required.
If the plugin must remain in use, apply the vendor or trusted third-party remediation available for the affected version and validate the fix in a test environment first.
Restrict exposure of the affected WordPress site where feasible, but do not treat access controls as a substitute for remediation.
Review database and application logs for suspicious requests to /inc/lists/csvexport.php and unusual list_id parameters.
After remediation, verify the plugin version and confirm the vulnerable endpoint is no longer exploitable.

Evidence notes

The assessment is based on the supplied NVD record and its referenced advisories. NVD lists CVE-2017-6095 as a modified record published on 2017-02-21 and last modified on 2026-05-13. The record identifies the vulnerable CPE as mail-masta_project:mail-masta:1.0 for WordPress, the weakness as CWE-89, and the CVSS vector as CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. References in the supplied corpus include a GitHub repository, WPVulnDB, and Exploit-DB entries.

Official resources

CVE-2017-6095 CVE record
CVE.org
CVE-2017-6095 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
Source reference
[email protected] - Exploit
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry

CVE-2017-6095 was published in the supplied CVE data on 2017-02-21 and later updated in the NVD record on 2026-05-13. The supplied corpus includes exploit and third-party advisory references, but no vendor patch notice was provided in the b