CVE-2016-20078 MEDIUM

CVE-2016-20078: WordPress IMDb Profile Widget 1.0.8 Local File Inclusion via pic.php

Vendor Henrique Dias

Product IMDb Profile Widget

Weakness CWE-98 · PHP file inclusion

Published June 15, 2026

Last update June 15, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Attackers can supply directory traversal sequences in GET requests to pic.php to access sensitive files like wp-config.php containing database credentials and configuration data.

Key dates

Disclosure timeline

June 15, 2026 CVE published

June 15, 2026 Record updated