CVE-2016-20078

Vulnerability

The WordPress IMDb Profile Widget plugin version 1.0.8 and earlier contains a local file inclusion vulnerability in pic.php. The plugin uses readfile( $_GET['url'] ) without sanitizing the url parameter, allowing directory traversal sequences such as ../../../ to be passed in GET requests [1][2]. The affected file is pic.php located in /wp-content/plugins/imdb-widget/. An attacker can exploit this to read arbitrary files from the server's filesystem.

Exploitation

An unauthenticated attacker can send a crafted GET request to the vulnerable pic.php endpoint. The request includes a url parameter containing directory traversal sequences to navigate outside the plugin's intended directory. For example, the payload url=../../../wp-config.php will read the WordPress configuration file [2]. The response is served as a JPEG image (Content-Type: image/jpeg), but the file content can be saved and renamed to reveal the original content. No authentication or prior access is required; the attack is performed remotely over HTTP.

Impact

Successful exploitation allows an attacker to read sensitive files from the WordPress installation directory. This includes wp-config.php, which contains database credentials (username, password, host) and other configuration secrets [1]. The attacker gains access to confidential information, potentially leading to full site compromise. The confidentiality of the system is breached; integrity and availability are not directly affected.

Mitigation

A fix was not released by the vendor; the plugin was closed and removed from the WordPress plugin repository [1][2]. Users should delete the imdb-widget plugin entirely from their WordPress installation. No patched version exists. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of publication date. The only mitigation is to remove or disable the plugin.