CVE Catalog

CVE-2016-20080

MediumCVSS 6.2
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.39%

31th percentile — higher than 31% of all known CVEs

Summary

The Brandfolder plugin for WordPress version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the wp_abspath parameter.

Risk Assessment

Attackers can access sensitive files like wp-config.php, potentially leading to site takeover or remote code execution.

Recommendation

It is recommended to update the Brandfolder plugin to the latest version to mitigate this vulnerability and to monitor logs for potential attack attempts.

Original NVD description (English source)

WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the wp_abspath parameter. Attackers can supply path traversal sequences or remote URLs through the wp_abspath parameter to read sensitive files like wp-config.php or execute remote code.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS