CVE-2016-20077

WordPress Plugin Photocart Link 1.6 Local File Inclusion via decode.php

CVSS 6.9 MEDIUMEPSS 0.4%CWE-98

WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php. Attackers can supply base64-encoded file paths in the 'id' parameter to the decode.php endpoint to retrieve sensitive files like wp-config.php containing database credentials and configuration data.

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

KaymeePhotography · Photocart Link

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/39623unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://fr.wordpress.org/plugins/photocart-link/https://www.exploit-db.com/exploits/39623 https://www.vulncheck.com/advisories/wordpress-plugin-photocart-link-local-file-inclusion-via-decode-php