CVE-2016-20081
Description
Unauthenticated path traversal in HB Audio Gallery Lite ≤1.0.0 lets attackers download arbitrary files like wp-config.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated path traversal in HB Audio Gallery Lite ≤1.0.0 lets attackers download arbitrary files like wp-config.php.
Vulnerability
The WordPress plugin HB Audio Gallery Lite version 1.0.0 contains a path traversal vulnerability (CWE-22) in the file /gallery/audio-download.php. The script unsafely passes the user-supplied file_path parameter into file operations without sanitization, allowing directory traversal sequences such as ../../. No authentication is required to reach this endpoint. The plugin has been closed since March 2016 and is no longer available for download [1][2].
Exploitation
An unauthenticated attacker sends a crafted HTTP GET request to wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php with the file_path parameter containing directory traversal sequences and a file_size parameter (e.g., file_path=../../../../wp-config.php&file_size=10). The server will respond with the contents of the arbitrary file specified. Proof-of-concept code was published on Exploit-DB in March 2016 [3].
Impact
Successful exploitation allows the attacker to read sensitive files from the server, including the WordPress configuration file wp-config.php, which contains database credentials and security keys. This leads to full information disclosure and can facilitate further compromise of the WordPress installation. The accessible files are not limited to the intended gallery directory [2][3].
Mitigation
The plugin is closed and no longer available; no patched version was ever released. The only effective mitigation is to completely remove the plugin from any WordPress installation. As of the publication date, this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2= 1.0.0+ 1 more
- (no CPE)range: = 1.0.0
- (no CPE)range: <=1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the file_path parameter allows directory traversal."
Attack vector
An unauthenticated attacker sends a GET request to `/wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php` with a `file_path` parameter containing directory traversal sequences (e.g., `../../../../wp-config.php`) and a `file_size` parameter. The script does not validate or sanitize the path, allowing arbitrary file reads outside the intended gallery directory [ref_id=1].
Affected code
The vulnerable file is `gallery/audio-download.php` in the HB Audio Gallery Lite plugin version 1.0.0. The script directly uses the user-supplied `file_path` parameter without sanitization, passing it to file operations and the `Content-Disposition` header.
What the fix does
The advisory does not include a patch diff. The remediation would require validating that the resolved `file_path` stays within the plugin's intended gallery directory, rejecting any path containing `..` sequences or symbolic links that escape the allowed base directory.
Preconditions
- configThe WordPress site must have the HB Audio Gallery Lite plugin version 1.0.0 installed and active.
- authNo authentication is required; the endpoint is publicly accessible.
- networkThe attacker must be able to reach the WordPress instance over HTTP/HTTPS.
- inputThe attacker supplies a `file_path` parameter with directory traversal sequences and a `file_size` parameter.
Reproduction
Send a GET request to `/wp-content/plugins/hb-audio-gallery-lite/gallery/audio-download.php?file_path=../../../../wp-config.php&file_size=10` to download the WordPress configuration file [ref_id=1].
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.