PatchSiren cyber security CVE debrief

CVE-2017-6097 Mail Masta Project CVE debrief

CVE-2017-6097 is an authenticated SQL injection affecting the Mail Masta (mail-masta) WordPress plugin 1.0. The vulnerable path is /inc/campaign/count_of_send.php, and the issue is triggered through the POST parameter camp_id. NVD classifies the weakness as CWE-89 and assigns a CVSS 3.0 score of 7.2 (HIGH), indicating meaningful impact once an attacker has WordPress admin authentication.

Vendor: Mail Masta Project
Product: CVE-2017-6097
CVSS: HIGH 7.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-21
Original CVE updated: 2026-05-13
Advisory published: 2017-02-21
Advisory updated: 2026-05-13

Who should care

WordPress site administrators, security teams responsible for plugin inventory and hardening, and organizations that still have Mail Masta plugin 1.0 installed in production or staging environments.

Technical summary

The official NVD metadata maps the issue to cpe:2.3:a:mail-masta_project:mail-masta:1.0:*:*:*:*:wordpress:*:* and identifies CWE-89. The CVSS vector is CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, which reflects network reachability, low attack complexity, and the need for high privileges (WordPress admin access). The CVE description specifically names /inc/campaign/count_of_send.php and the POST parameter camp_id as the affected input.

Defensive priority

High for any environment where Mail Masta plugin 1.0 is present, especially if administrative WordPress access is broadly shared or insufficiently protected. Because exploitation requires admin authentication, the immediate risk is lower than a fully unauthenticated bug, but the potential impact remains significant.

Recommended defensive actions

Inventory WordPress sites to confirm whether Mail Masta (mail-masta) plugin 1.0 is installed.
Remove the plugin if it is not required, or replace it with a supported alternative.
If a fixed release is available from the vendor or maintainer, upgrade to the patched version as soon as possible.
Restrict WordPress admin access, use unique credentials, and enforce multi-factor authentication where available.
Review application and web server logs for requests to /inc/campaign/count_of_send.php and other unexpected activity involving camp_id.
Validate database backups and recovery procedures before making changes, so remediation can be completed safely.

Evidence notes

The CVE was published on 2017-02-21, and the official NVD record was last modified on 2026-05-13; those dates are metadata for the record, not the time of compromise. The supplied official sources identify the vulnerability as an authenticated SQL injection in Mail Masta plugin 1.0, affecting /inc/campaign/count_of_send.php with POST parameter camp_id, and classify it as CWE-89 with CVSS 3.0 vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. NVD also lists third-party references, but this debrief relies on the official CVE/NVD metadata only.

Official resources

CVE-2017-6097 CVE record
CVE.org
CVE-2017-6097 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry

Publicly disclosed in the CVE record on 2017-02-21. The NVD entry was modified on 2026-05-13, which is later metadata maintenance and should not be confused with the original vulnerability publication date.