CVE-2016-20082

Vulnerability

The Abtest plugin for WordPress (versions up to 1.0.6) contains a local file inclusion vulnerability in abtest_admin.php. The script includes a file based on the action GET parameter without proper sanitization, allowing an unauthenticated attacker to include arbitrary .php files from the admin/ directory (or via path traversal from elsewhere) [1][2][3].

Exploitation

An unauthenticated attacker can craft a GET request to abtest_admin.php with a malicious action parameter value. For example, using path traversal like ../../wp-config to include files outside the intended directory. The code appends .php, so the attacker typically targets existing PHP files or uses null byte injection (depending on PHP version) [3].

Impact

Successful exploitation allows the attacker to include arbitrary PHP files from the server, potentially leading to remote code execution if the included file contains executable PHP code. This can result in full compromise of the WordPress installation, including data theft, site defacement, or further attacks on the server infrastructure [2].

Mitigation

The Abtest plugin has been archived and is no longer maintained (last update 2024). No official patch has been released. Users are strongly advised to deactivate and completely remove the plugin from their WordPress installations [1]. As of the CVE publication date (2026-06-15), no fix is available.