CVE-2016-20082 MEDIUM

CVE-2016-20082: WordPress Plugin Abtest Local File Inclusion via abtest_admin.php

Vendor Abtest
Product Abtest
Weakness CWE-98 · PHP file inclusion
Published June 15, 2026
Last update June 15, 2026

CVSS base score

6.9/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Attackers can send GET requests to abtest_admin.php with malicious action values to include files from the admin directory and execute arbitrary code.

Explanation of Vulnerability in Simple Terms

02Summary

Abtest versions 1.0.6 and later contain a local vulnerability that allows an attacker with local system access to read sensitive information. The vulnerability requires no authentication or user interaction. The exact attack mechanism is unclear due to incomplete vulnerability classification data.

What an attacker can do

03Attacker Capabilities

Read sensitive data on the system where Abtest is installed.

Potential impact on your site

04Site Impact

If Abtest runs on your server, a local attacker can access confidential information stored by the application.

Conditions required to exploit

05Prerequisites

Local access to the system; no authentication required.

Key dates

06Disclosure timeline

June 15, 2026 CVE published
June 15, 2026 Record updated