CVE-2016-20080
Description
Unauthenticated local/remote file inclusion in WordPress Brandfolder plugin ≤3.0 via wp_abspath parameter in callback.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated local/remote file inclusion in WordPress Brandfolder plugin ≤3.0 via wp_abspath parameter in callback.php.
Vulnerability
The WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in the callback.php file [1][3]. The plugin’s callback.php script directly uses the $_REQUEST['wp_abspath'] parameter to construct paths for require_once statements, including wp-load.php and other core files [3]. An unauthenticated attacker can manipulate this parameter with path traversal sequences or remote URLs, leading to arbitrary file inclusion [3][4]. The vulnerable versions are those up to and including 3.0 [3][4].
Exploitation
An unauthenticated attacker needs only network access to the WordPress installation. By sending a crafted HTTP request to the callback.php endpoint, the attacker supplies a wp_abspath parameter containing path traversal characters such as ../../../ or a full remote URL (e.g., http://evil/) [3]. The code will then include the attacker-controlled file, which can be a local file like wp-config.php or a remote file hosted on an attacker’s server [3][4]. No authentication or special privileges are required [4].
Impact
Successful exploitation allows the attacker to read sensitive local files such as wp-config.php, which often contains database credentials [3][4]. If remote file inclusion is possible, the attacker can execute arbitrary PHP code on the server by including a malicious wp-load.php from their own host [3][4]. This can lead to full site compromise, including data theft, privilege escalation, and persistent backdoor access. The CIA impact is high for confidentiality and can become total with code execution [4].
Mitigation
As of the latest available plugin update, no patched version has been released [1][3]. Users are advised to remove or disable the Brandfolder plugin entirely until a fix is provided [1][3]. Given that the plugin connects to external Brandfolder API services [1], an alternative solution may be to replace it with an actively maintained plugin. The vulnerability has been publicly disclosed with proof-of-concept code [3], increasing the risk of exploitation.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=3.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation in `callback.php` allows unauthenticated attackers to control the `wp_abspath` parameter used in `require_once()` calls, leading to local or remote file inclusion."
Attack vector
An unauthenticated attacker sends a crafted HTTP GET request to `callback.php` with a malicious `wp_abspath` parameter. By supplying path-traversal sequences (e.g., `../../../`) together with a null-byte terminator (`%00`), the attacker can include arbitrary local files. Alternatively, an attacker can supply a remote URL (e.g., `http://evil/`) pointing to a server that hosts a malicious `wp-load.php`, achieving remote file inclusion and potential code execution [ref_id=1].
Affected code
The vulnerability resides in `callback.php` of the Brandfolder plugin for WordPress. The first lines of the file directly pass the user-supplied `wp_abspath` parameter from `$_REQUEST` into `require_once()` calls without any sanitization or validation [ref_id=1].
What the fix does
The recommended fix is to validate and sanitize the `wp_abspath` parameter before it is used in any file-inclusion operations. The advisory does not provide a patch diff, but the exploit author suggests that the plugin must not blindly trust user input passed to `$_REQUEST`. Without proper sanitization, an attacker can control the path passed to `require_once()` and include arbitrary files.
Preconditions
- configThe Brandfolder plugin version 3.0 or earlier must be installed and active on the WordPress site.
- authNo authentication is required; the attacker can reach `callback.php` over HTTP(S).
- networkThe attacker must be able to send HTTP GET requests to the vulnerable `callback.php` endpoint.
- inputThe attacker supplies a malicious `wp_abspath` parameter with path-traversal sequences or a remote URL.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.