CVE-2016-20079 MEDIUM

CVE-2016-20079: WordPress Dharma Booking 2.28.3 Local File Inclusion via proccess.php

Vendor Jamie

Product Dharma Booking

Weakness CWE-98 · PHP file inclusion

Published June 15, 2026

Last update June 15, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Attackers can supply file paths with directory traversal sequences or null byte injection to the gateway parameter in proccess.php to read sensitive files like configuration and system files.

Key dates

Disclosure timeline

June 15, 2026 CVE published

June 15, 2026 Record updated