CVE-2016-20078
Received Received - Intake
Local File Inclusion in WordPress IMDb Profile Widget

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulnCheck

Description
WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Attackers can supply directory traversal sequences in GET requests to pic.php to access sensitive files like wp-config.php containing database credentials and configuration data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2016-20078
EUVD
EUVD-2016-10890
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
imdb profile_widget 1.0.8
henrique_dias imdb_profile_widget to 1.0.8 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability can be detected by attempting to access the vulnerable endpoint with crafted GET requests that include directory traversal sequences in the 'url' parameter to read sensitive files.

For example, you can use the following command to test if the vulnerability exists by trying to read the wp-config.php file:

  • curl -i "http://<target-site>/wp-content/plugins/imdb-widget/pic.php?url=../../../wp-config.php"

If the response contains contents of the wp-config.php file or other sensitive files, the system is vulnerable.

Executive Summary

The WordPress IMDb Profile Widget version 1.0.8 contains a local file inclusion (LFI) vulnerability in the pic.php file. This vulnerability allows unauthenticated attackers to read arbitrary files on the server by manipulating the 'url' parameter in GET requests.

Attackers exploit this by supplying directory traversal sequences (e.g., ../../../) to access sensitive files such as wp-config.php, which contains database credentials and configuration data.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information stored on the server, such as database credentials and configuration files.

An attacker exploiting this flaw can read critical files without authentication, potentially compromising the security of the entire WordPress installation and its underlying database.

Compliance Impact

This vulnerability allows unauthenticated attackers to read arbitrary files on the server, including sensitive files such as wp-config.php that contain database credentials and configuration data.

Exposure of such sensitive information could lead to unauthorized access to personal data stored in the database, potentially resulting in violations of data protection regulations like GDPR and HIPAA.

Therefore, exploitation of this vulnerability may compromise the confidentiality of personal data, impacting compliance with standards that require protection of sensitive information.

Mitigation Strategies

Immediate mitigation steps include removing or disabling the vulnerable IMDb Profile Widget plugin version 1.0.8 or earlier from your WordPress installation.

Since the plugin has been removed from the WordPress Plugin Directory and is no longer maintained, it is recommended to uninstall it completely to prevent exploitation.

Additionally, restrict access to the vulnerable pic.php file or the plugin directory via web server configuration to prevent unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2016-20078. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart