CVE-2016-10991
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Guideline Violation), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Local file inclusion vulnerability in the imdb-widget plugin for WordPress before version 1.0.9 allows unauthenticated attackers to read arbitrary files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Local file inclusion vulnerability in the imdb-widget plugin for WordPress before version 1.0.9 allows unauthenticated attackers to read arbitrary files.
Vulnerability
The imdb-widget plugin for WordPress, versions before 1.0.9, contains a local file inclusion (LFI) vulnerability. The flaw resides in how the plugin handles file paths, allowing an attacker to specify and include arbitrary files from the server without proper sanitization. This affects all installations using versions earlier than 1.0.9.
Exploitation
An attacker can exploit this vulnerability by sending a crafted request to the vulnerable endpoint where the plugin includes files based on user input. No authentication is required, and the attack can be performed remotely over HTTP. The attacker only needs to manipulate a parameter (likely related to a file path) to traverse directories and include files like wp-config.php.
Impact
Successful exploitation allows an unauthenticated attacker to read sensitive files on the server, including the WordPress configuration file (wp-config.php), which contains database credentials and other secrets. This can lead to full site compromise, including data theft and potential server-level access.
Mitigation
The plugin has been closed and removed from the WordPress.org plugin directory as of December 19, 2017 [1]. Users who have it installed should uninstall it immediately, as no patched version is available for download. The recommended mitigation is to replace the plugin with an alternative solution. As of the publication date of this CVE (2019-09-17), the plugin is still considered vulnerable with no official fix distributed.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/imdb-widget plugindescription
Patches
0imdb-widgetThis plugin has been removed from the WordPress.org directory on 2017-12-19 (reason: Guideline Violation). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- wordpress.org/plugins/imdb-widget/mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/8426mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.