WordPress Plugin Vulnerabilities

Mail Masta <= 1.0 - Unauthenticated Local File Inclusion (LFI)

Description

The plugin does not validate the pl parameter before using it in an include statement, leading to a Local File Inclusion issue

Proof of Concept

Affects Plugins

Plugin icon
mail-masta
No known fix

References

CVE
CVE-2016-10956
Exploitdb
40290
Exploitdb
50226
URL
https://cxsecurity.com/issue/WLB-2016080220

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
7.5 (high)

Miscellaneous

Submitter
ethicalhack3r
Submitter twitter
ethicalhack3r
Verified
Yes
WPVDB ID
5136d5cf-43c7-4d09-bf14-75ff8b77bb44

Timeline

Publicly Published
2016-08-23 (about 9 years ago)
Added
2016-08-24 (about 9 years ago)
Last Updated
2022-04-10 (about 3 years ago)

Other

Published
Title
Published
2025-01-16
Title
Eventer < 3.9.8 - Authenticated (Subscriber+) Arbitrary File Read
Published
2026-01-13
Title
Anona <= 8.0 - Unauthenticated Arbitrary File Deletion
Published
2025-08-25
Title
Jannah < 7.5.1 - Unauthenticated Local File Inclusion
Published
2020-04-13
Title
Media Library Assistant < 2.82 - Unauthenticated Limited Local File Inclusion
Published
2025-07-21
Title
Extensions For CF7 (Contact form 7 Database, Conditional Fields and Redirection) < 3.2.9 - Unauthenticated Arbitrary File Deletion Triggered via Admin Form Submission Deletion