CVE-2016-20077
Description
WordPress Plugin Photocart Link 1.6 contains an unauthenticated local file inclusion vulnerability in decode.php, allowing arbitrary file read via base64-encoded 'id' parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress Plugin Photocart Link 1.6 contains an unauthenticated local file inclusion vulnerability in decode.php, allowing arbitrary file read via base64-encoded 'id' parameter.
Vulnerability
The WordPress Plugin Photocart Link version 1.6 and earlier contains a local file inclusion vulnerability in decode.php. The script directly uses the $_REQUEST['id'] parameter after passing it through base64_decode() and then passes the decoded value to readfile() without any validation or sanitization [1][2]. This insufficient input validation allows unauthenticated attackers to read arbitrary files on the server.
Exploitation
An attacker with network access to the WordPress site can exploit this by sending a request to the decode.php endpoint with a base64-encoded file path in the id parameter. For example, the path ../../../wp-config.php encoded as Li4vLi4vLi4vd3AtY29uZmlnLnBocA== retrieves the WordPress configuration file [2]. The script outputs the file content as a JPEG download, which can be saved and opened in a text editor to view sensitive data. No authentication or user interaction is required.
Impact
Successful exploitation allows an unauthenticated attacker to read arbitrary files on the underlying server, including sensitive files such as wp-config.php. This file contains database credentials (username, password, hostname) and other configuration secrets, leading to full disclosure of sensitive information and potential further compromise of the WordPress installation and server [1].
Mitigation
No patched version of the Photocart Link plugin has been released; the vendor was informed in March 2016 but no fix is publicly available [2]. The plugin appears to be abandoned. The recommended mitigation is to remove or deactivate the plugin immediately. If removal is not possible, restrict access to the wp-content/plugins/photocart-link/ directory via web server rules (e.g., .htaccess).
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 1.6+ 1 more
- (no CPE)range: = 1.6
- (no CPE)range: = 1.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the base64-decoded 'id' parameter in decode.php allows an unauthenticated attacker to read arbitrary files via path traversal."
Attack vector
An unauthenticated attacker sends a GET request to `/wp-content/plugins/photocart-link/decode.php` with a base64-encoded file path in the `id` parameter. Because the plugin performs no input validation, the attacker can traverse directories (e.g. `Li4vLi4vLi4vd3AtY29uZmlnLnBocA==` decodes to `../../wp-config.php`) and read arbitrary files from the server. The response is served with a `Content-type: image/jpeg` header, but the file content is readable when saved and opened in a text editor [ref_id=1].
Affected code
The vulnerable file is `decode.php` in the WordPress Photocart Link plugin version 1.6. The script takes a user-supplied `id` parameter, base64-decodes it, and passes the result directly to `readfile()` without any validation or sanitization.
What the fix does
The advisory does not include a published patch. The root cause is the absence of any validation on the `id` parameter before it is passed to `readfile()`. To fix the vulnerability, the plugin must restrict file reads to a specific allowed directory (e.g. the plugin's own image folder), reject path traversal sequences, and validate that the decoded path resolves to an expected location.
Preconditions
- configThe WordPress site must have the Photocart Link plugin version 1.6 installed and the decode.php endpoint must be accessible over HTTP.
- authNo authentication is required; the attacker can reach the endpoint as an unauthenticated remote user.
- networkThe attacker must be able to send HTTP GET requests to the WordPress server.
- inputThe attacker supplies a base64-encoded file path in the 'id' parameter.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.