What the vulnerability does
01Description
WordPress Plugin Abtest contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the action parameter. Attackers can send GET requests to abtest_admin.php with malicious action values to include files from the admin directory and execute arbitrary code.
Explanation of Vulnerability in Simple Terms
02Summary
Abtest versions 1.0.6 and later contain a local vulnerability that allows an attacker with local system access to read sensitive information. The vulnerability requires no authentication or user interaction. The exact attack mechanism is unclear due to incomplete vulnerability classification data.
What an attacker can do
03Attacker Capabilities
Read sensitive data on the system where Abtest is installed.
Potential impact on your site
04Site Impact
If Abtest runs on your server, a local attacker can access confidential information stored by the application.
Conditions required to exploit
05Prerequisites
Local access to the system; no authentication required.
Key dates
06Disclosure timeline
June 15, 2026
CVE published
June 15, 2026
Record updated