CVE-2016-20078

MEDIUM

WordPress IMDb Profile Widget 1.0.8 Local File Inclusion via pic.php

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-20078. PoCs published by CrashBandicot.

AI-analyzed exploit summary The exploit demonstrates a Local File Inclusion (LFI) vulnerability in the WordPress IMDb Profile Widget plugin (version 1.0.8) via the 'pic.php' file, which unsafely includes user-supplied input from the 'url' parameter. This allows an attacker to read arbitrary files on the server, such as 'wp-config.php'.

Description

WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Attackers can supply directory traversal sequences in GET requests to pic.php to access sensitive files like wp-config.php containing database credentials and configuration data.

Exploits (1)

exploitdb WORKING POC VERIFIED

by CrashBandicot · textwebappsphp

https://www.exploit-db.com/exploits/39621

View Code ZIP pw:eip

The exploit demonstrates a Local File Inclusion (LFI) vulnerability in the WordPress IMDb Profile Widget plugin (version 1.0.8) via the 'pic.php' file, which unsafely includes user-supplied input from the 'url' parameter. This allows an attacker to read arbitrary files on the server, such as 'wp-config.php'.

Classification

Working Poc 100%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: WordPress IMDb Profile Widget plugin 1.0.8

No auth needed

Prerequisites: Access to the vulnerable 'pic.php' endpoint

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Jun 15, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-39621

https://www.exploit-db.com/exploits/39621

Product product

Official Product Homepage

https://wordpress.org/plugins/imdb-widget/

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress IMDb Profile Widget 1.0.8 Local File Inclusion via pic.php

https://www.vulncheck.com/advisories/wordpress-imdb-profile-widget-local-file-inclusion-via-pic-php

Scores

CVSS v3 6.2

EPSS 0.0069

EPSS Percentile 47.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-98

Status published

Products (1)

Henrique Dias/IMDb Profile Widget 1.0.8

Published Jun 15, 2026

Tracked Since Jun 15, 2026