CVE-2016-20082
Received Received - Intake
Local File Inclusion in WordPress Plugin Abtest

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: VulnCheck

Description
WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Attackers can send GET requests to abtest_admin.php with malicious action values to include files from the admin directory and execute arbitrary code.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-15
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2016-20082
EUVD
EUVD-2016-10894
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wp-plugins abtest to 1.0.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-98 The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The WordPress Plugin Abtest, versions 1.0.6 and below, contains a local file inclusion (LFI) vulnerability in the abtest_admin.php file. This vulnerability occurs because the plugin improperly controls the filenames used in the 'action' parameter of GET requests.

An unauthenticated attacker can manipulate the 'action' parameter to include arbitrary files from the server's admin directory. This can lead to the execution of arbitrary code on the server.

The vulnerability arises from the plugin directly concatenating user input from the 'action' parameter into a file path without proper sanitization, enabling path traversal attacks.

Impact Analysis

This vulnerability can allow an attacker to include and execute arbitrary files on your server without authentication.

  • Execution of arbitrary code, potentially leading to full server compromise.
  • Exposure of sensitive files on the server, such as configuration files or password files.
  • Potential disruption of website functionality or unauthorized access to administrative features.
Detection Guidance

This vulnerability can be detected by monitoring for suspicious GET requests to the abtest_admin.php file that include manipulated 'action' parameters attempting local file inclusion.

  • Look for HTTP GET requests with URLs similar to: /wp-content/plugins/abtest/abtest_admin.php?action=[payload]
  • Payloads may include path traversal sequences such as ../../../../etc/passwd or other local file paths.

You can use network monitoring tools or web server logs to search for such requests.

  • Example command to search Apache logs for suspicious requests: grep 'abtest_admin.php?action=' /var/log/apache2/access.log
  • Use curl or wget to test if the vulnerability exists by sending crafted requests, e.g.: curl 'http://yourwordpresssite/wp-content/plugins/abtest/abtest_admin.php?action=../../../../etc/passwd'
Mitigation Strategies

Immediate mitigation steps include disabling or removing the vulnerable WordPress Abtest plugin, especially versions 1.0.6 and below.

If removal is not immediately possible, restrict access to the abtest_admin.php file to trusted users only, for example by IP whitelisting or authentication.

Monitor web server logs for suspicious requests targeting the 'action' parameter to detect exploitation attempts.

Apply any available patches or updates from the plugin vendor if they become available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2016-20082. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart