CVE-2016-20079 MEDIUM

CVE-2016-20079: WordPress Dharma Booking 2.28.3 Local File Inclusion via proccess.php

Vendor Jamie
Product Dharma Booking
Weakness CWE-98 · PHP file inclusion
Published June 15, 2026
Last update June 15, 2026

CVSS base score

6.9/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Attackers can supply file paths with directory traversal sequences or null byte injection to the gateway parameter in proccess.php to read sensitive files like configuration and system files.

Explanation of Vulnerability in Simple Terms

02Summary

Dharma Booking versions up to 2.28.3 contain a local code execution vulnerability. An attacker with local access to the system can run arbitrary code with high privileges. The vulnerability stems from improper handling of user-supplied input that is not properly validated before execution. This affects the confidentiality of data stored on the affected system.

What an attacker can do

03Attacker Capabilities

Run code locally on the server with high privileges.

Potential impact on your site

04Site Impact

An attacker with server access can execute code and read sensitive data from your booking system.

Conditions required to exploit

05Prerequisites

Local access to the server; no authentication or user interaction required.

Key dates

06Disclosure timeline

June 15, 2026 CVE published
June 15, 2026 Record updated