PatchSiren cyber security CVE debrief

CVE-2017-6098 Mail Masta Project CVE debrief

CVE-2017-6098 is an authenticated SQL injection issue in the Mail Masta (mail-masta) WordPress plugin 1.0. The vulnerable path is /inc/campaign_save.php, and the issue is tied to the POST parameter list_id. NVD classifies it as CWE-89 and rates the flaw HIGH with a CVSS 3.0 score of 7.2, reflecting potentially serious confidentiality, integrity, and availability impact if an attacker has the required WordPress admin privileges.

Vendor: Mail Masta Project
Product: CVE-2017-6098
CVSS: HIGH 7.2
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-02-21
Original CVE updated: 2026-05-13
Advisory published: 2017-02-21
Advisory updated: 2026-05-13

Who should care

WordPress administrators, site owners running Mail Masta 1.0, vulnerability management teams, and anyone responsible for plugin inventory and patching on WordPress deployments.

Technical summary

NVD identifies the affected CPE as mail-masta_project mail-masta 1.0 for WordPress and assigns CWE-89 (SQL Injection). The CVSS vector is CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, which indicates network exploitation, low complexity, no user interaction, and a high-privilege prerequisite. The vulnerable code path is /inc/campaign_save.php, where the list_id POST parameter is implicated. Public references linked by NVD/MITRE include a GitHub repository, WPVulnDB entry, and Exploit-DB listing.

Defensive priority

High for any environment that still has Mail Masta 1.0 installed. Because exploitation requires WordPress admin privileges, the exposure is narrower than unauthenticated bugs, but the potential impact remains severe.

Recommended defensive actions

Inventory WordPress sites for the Mail Masta / mail-masta plugin and confirm whether version 1.0 is present.
Remove or update the plugin if a fixed version is available; if no trusted fix exists, disable and uninstall it.
Restrict and monitor WordPress admin access, especially for accounts that can reach plugin functionality.
Review server and application logs for unusual requests to /inc/campaign_save.php and unexpected SQL-related errors.
Validate database integrity and recent campaign-related changes if the plugin was in use during the exposure window.
Use web application firewall or application-layer controls as a compensating measure only if immediate removal is not possible.

Evidence notes

This debrief is based on the official CVE record and NVD entry for CVE-2017-6098. The source corpus states the issue affects /inc/campaign_save.php and the POST parameter list_id, and that WordPress admin authentication is required. NVD lists the vulnerable CPE as cpe:2.3:a:mail-masta_project:mail-masta:1.0:*:*:*:*:wordpress:*:* and assigns CWE-89. Reference links in the corpus include the CVE record, NVD detail page, a GitHub reference, WPVulnDB entry, and Exploit-DB listing. No exploit instructions or unsupported impact claims are included.

Official resources

CVE-2017-6098 CVE record
CVE.org
CVE-2017-6098 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
Source reference
[email protected] - Exploit
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory, VDB Entry

CVE published on 2017-02-21T07:59:00.610Z and last modified on 2026-05-13T00:24:29.033Z. The debrief uses the published date for issue timing and the modified date only as record context.