CVE-2016-20079

MEDIUM

WordPress Dharma Booking 2.28.3 Local File Inclusion via proccess.php

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2016-20079. PoCs published by AMAR^SHG.

AI-analyzed exploit summary The exploit demonstrates a Local File Inclusion (LFI) vulnerability in the WordPress Dharma Booking plugin (version <=2.28.3). The vulnerability arises from unsanitized user input in the 'gateway' parameter, allowing arbitrary file inclusion via path traversal sequences.

Description

WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Attackers can supply file paths with directory traversal sequences or null byte injection to the gateway parameter in proccess.php to read sensitive files like configuration and system files.

Exploits (1)

exploitdb WORKING POC

by AMAR^SHG · textwebappsphp

https://www.exploit-db.com/exploits/39592

View Code ZIP pw:eip

The exploit demonstrates a Local File Inclusion (LFI) vulnerability in the WordPress Dharma Booking plugin (version <=2.28.3). The vulnerability arises from unsanitized user input in the 'gateway' parameter, allowing arbitrary file inclusion via path traversal sequences.

Classification

Working Poc 90%

Attack Type

Info Leak

Complexity

Trivial

Reliability

Reliable

Target: WordPress Dharma Booking plugin <=2.28.3

No auth needed

Prerequisites: WordPress installation with Dharma Booking plugin <=2.28.3

MITRE ATT&CK

T1005 - Data from Local System T1552 - Unsecured Credentials

devstral-2 · analyzed Jun 15, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit exploit

ExploitDB-39592

https://www.exploit-db.com/exploits/39592

Product product

Official Product Homepage

https://wordpress.org/plugins/dharma-booking/

Third Party Advisory third-party-advisory

VulnCheck Advisory: WordPress Dharma Booking 2.28.3 Local File Inclusion via proccess.php

https://www.vulncheck.com/advisories/wordpress-dharma-booking-local-file-inclusion-via-proccess-php

Scores

CVSS v3 6.2

EPSS 0.0078

EPSS Percentile 51.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-98

Status published

Products (1)

jamie/Dharma Booking < 2.28.3

Published Jun 15, 2026

Tracked Since Jun 15, 2026