CVE Catalog

CVE-2016-20078

MediumCVSS 6.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.69%

48th percentile — higher than 48% of all known CVEs

Summary

The WordPress IMDb Profile Widget version 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Attackers can supply directory traversal sequences in GET requests to pic.php to access sensitive files like wp-config.php containing database credentials and configuration data.

Risk Assessment

This vulnerability poses a serious security risk by allowing attackers access to sensitive information, which could lead to the compromise of the entire application and user data.

Recommendation

It is recommended to update the plugin to the latest version that fixes this vulnerability and to review and secure configuration files against unauthorized access.

Original NVD description (English source)

WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Attackers can supply directory traversal sequences in GET requests to pic.php to access sensitive files like wp-config.php containing database credentials and configuration data.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS