CVE-2016-20078 in IMDb Profile Widget
Summary
by MITRE • 06/15/2026
WordPress IMDb Profile Widget 1.0.8 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the url parameter. Attackers can supply directory traversal sequences in GET requests to pic.php to access sensitive files like wp-config.php containing database credentials and configuration data.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 06/15/2026
The WordPress IMDb Profile Widget plugin version 1.0.8 contains a critical local file inclusion vulnerability that represents a significant security risk for affected WordPress installations. This vulnerability stems from inadequate input validation and sanitization within the plugin's pic.php script, which processes user-supplied url parameters without proper restrictions. The flaw allows unauthenticated attackers to exploit directory traversal sequences through GET requests, enabling them to access arbitrary files on the server filesystem. The vulnerability directly maps to CWE-22 known as "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" which is classified as a high-risk weakness in the Common Weakness Enumeration catalog. The attack vector specifically targets the pic.php endpoint where the url parameter is processed, allowing malicious actors to manipulate file paths and retrieve sensitive information from the web server.
The operational impact of this vulnerability extends far beyond simple information disclosure, as attackers can access critical system files including wp-config.php which contains database credentials, authentication keys, and other sensitive configuration data. This exposure creates a pathway for attackers to escalate their privileges and potentially gain complete control over the affected WordPress installation. The vulnerability affects any WordPress site running the specific plugin version, making it particularly dangerous as it requires no authentication or prior access to the system. The lack of authentication requirements means that any user with access to the affected website can exploit this vulnerability, significantly expanding the attack surface. This weakness aligns with ATT&CK technique T1213.002 for "External Remote Services" and represents a classic privilege escalation vector that can lead to full system compromise.
Security practitioners should immediately implement mitigation strategies to protect affected systems from exploitation. The most effective immediate solution involves updating the WordPress IMDb Profile Widget plugin to a patched version that properly validates and sanitizes input parameters before processing. Additionally, implementing proper input validation at the web server level through mod_security rules or similar security modules can help block malicious directory traversal attempts. Network segmentation and access control measures should be enforced to limit exposure, while monitoring systems should be configured to detect unusual file access patterns that may indicate exploitation attempts. Regular security audits and vulnerability assessments should be conducted to identify similar weaknesses in other plugins or components of the WordPress ecosystem. Organizations should also consider implementing web application firewalls that can detect and block known attack patterns associated with path traversal vulnerabilities. The vulnerability demonstrates the critical importance of proper input validation and the potential consequences of inadequate security controls in widely deployed web applications.