PatchSiren cyber security CVE debrief
CVE-2017-6096 Mail Masta Project CVE debrief
CVE-2017-6096 is a high-severity SQL injection vulnerability in the Mail Masta WordPress plugin 1.0. The issue affects /inc/lists/view-list.php and is triggered through the filter_list GET parameter. NVD rates the flaw at CVSS 7.2 and notes that WordPress admin authentication is required, so exposure is concentrated in environments where plugin admin access is available.
- Vendor
- Mail Masta Project
- Product
- CVE-2017-6096
- CVSS
- HIGH 7.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-21
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-21
- Advisory updated
- 2026-05-13
Who should care
WordPress administrators, site owners, and security teams that still run Mail Masta (mail-masta) plugin 1.0 should treat this as a priority finding, especially on sites where plugin admin access is broadly delegated or poorly monitored.
Technical summary
NVD identifies the weakness as CWE-89 (SQL Injection) in Mail Masta 1.0 for WordPress. The affected component is /inc/lists/view-list.php, with the filter_list GET parameter as the injection point. The published CVSS v3.0 vector is AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network reachability, low attack complexity, required high privileges, and potentially severe impact if exploited through authenticated admin access.
Defensive priority
High
Recommended defensive actions
- Confirm whether Mail Masta 1.0 is installed anywhere in the WordPress estate and document every affected site.
- Remove or replace the plugin if it is no longer required; if it must remain, verify whether a fixed release exists before continuing use.
- Restrict WordPress admin access to the smallest possible group and review privileged accounts tied to the plugin.
- Review web and application logs for unusual requests to /inc/lists/view-list.php and the filter_list parameter.
- Validate database and application integrity after exposure, since the vulnerability can affect confidentiality, integrity, and availability.
- Track the official CVE and NVD records for any later status changes or additional vendor guidance.
Evidence notes
This debrief is based on the supplied NVD record for CVE-2017-6096, published 2017-02-21 and last modified 2026-05-13. The record states that Mail Masta (aka mail-masta) plugin 1.0 for WordPress is affected, with the vulnerable path /inc/lists/view-list.php and GET parameter filter_list. NVD classifies the weakness as CWE-89 and provides the CVSS v3.0 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The supplied references include the official CVE record, the NVD detail page, and third-party advisory/exploit reference links; no exploit steps are reproduced here.
Official resources
-
CVE-2017-6096 CVE record
CVE.org
-
CVE-2017-6096 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry
CVE-2017-6096 was published on 2017-02-21. The supplied source metadata shows a later modification on 2026-05-13; that date reflects record maintenance, not the original issue date.