CVE-2016-20078
MediumCVSS 6.2Exploitation Probability (EPSS)
Low risk48th percentile — higher than 48% of all known CVEs
Summary
The WordPress IMDb Profile Widget version 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Attackers can supply directory traversal sequences in GET requests to pic.php to access sensitive files like wp-config.php containing database credentials and configuration data.
Risk Assessment
This vulnerability poses a serious security risk by allowing attackers access to sensitive information, which could lead to the compromise of the entire application and user data.
Recommendation
It is recommended to update the plugin to the latest version that fixes this vulnerability and to review and secure configuration files against unauthorized access.
Original NVD description (English source)
WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Attackers can supply directory traversal sequences in GET requests to pic.php to access sensitive files like wp-config.php containing database credentials and configuration data.

