← back
CVE-2016-20080

WordPress Brandfolder Plugin 3.0 Local File Inclusion via callback.php

CVSS 6.9 MEDIUMEPSS 0.4%CWE-98
WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php that allows unauthenticated attackers to include arbitrary files by manipulating the wp_abspath parameter. Attackers can supply path traversal sequences or remote URLs through the wp_abspath parameter to read sensitive files like wp-config.php or execute remote code.
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
Brandfolder · Brandfolder
public PoCs found1
cve_referencewww.exploit-db.com/exploits/39591unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://brandfolder.comhttps://wordpress.org/plugins/brandfolder/https://www.exploit-db.com/exploits/39591https://www.vulncheck.com/advisories/wordpress-brandfolder-plugin-local-file-inclusion-via-callback-php