CVE-2016-20080
MediumCVSS 6.2Exploitation Probability (EPSS)
Low risk31th percentile — higher than 31% of all known CVEs
Summary
The Brandfolder plugin for WordPress version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the wp_abspath parameter.
Risk Assessment
Attackers can access sensitive files like wp-config.php, potentially leading to site takeover or remote code execution.
Recommendation
It is recommended to update the Brandfolder plugin to the latest version to mitigate this vulnerability and to monitor logs for potential attack attempts.
Original NVD description (English source)
WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the wp_abspath parameter. Attackers can supply path traversal sequences or remote URLs through the wp_abspath parameter to read sensitive files like wp-config.php or execute remote code.

