CVE-2016-20077
MediumCVSS 6.2Exploitation Probability (EPSS)
Low risk29th percentile — higher than 29% of all known CVEs
Summary
The WordPress Plugin Photocart Link version 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php.
Risk Assessment
Attackers can access sensitive files like wp-config.php, potentially exposing database credentials and configuration information.
Recommendation
It is recommended to update the plugin to the latest version and implement appropriate security measures to minimize the risk of local file inclusion attacks.
Original NVD description (English source)
WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php. Attackers can supply base64-encoded file paths in the 'id' parameter to the decode.php endpoint to retrieve sensitive files like wp-config.php containing database credentials and configuration data.

