CVE-2016-20079

Vulnerability

The WordPress Dharma Booking plugin, version 2.28.3 and earlier, contains a local file inclusion (LFI) vulnerability in the file dharma-booking/frontend/ajax/gateways/proccess.php. The script unsafely uses $_GET['gateway'] in a require_once() call without proper sanitization, allowing an attacker to control which file is included. The vulnerability is categorized under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). Affected versions are all releases up to and including 2.28.3 [1][2].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable endpoint. The attacker manipulates the gateway parameter in the URL, using directory traversal sequences (e.g., ../../../../../../etc/passwd) combined with null byte injection (%00) to terminate the appended .php extension. For example: http://target/wp/dharma-booking/frontend/ajax/gateways/proccess.php?gateway=../../../../../../etc/passwd%00. No authentication or prior access is required [2].

Impact

Successful exploitation allows an unauthenticated attacker to read arbitrary files on the server, including sensitive configuration files, system files, and potentially WordPress credentials. The impact is primarily information disclosure, leading to a compromise of confidentiality. The CVSS v3 severity is Medium at 6.2, with a vector indicating high confidentiality impact but no integrity or availability impact [1].

Mitigation

The Dharma Booking plugin has been closed and is no longer available for download as of March 8, 2015, due to an unknown reason [3]. No patched version has been released. Since the plugin is closed and unsupported, users must remove or deactivate it from any active WordPress installation. There is no known workaround. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing.