CVE-2016-20079 in Dharma Booking
Summary
by MITRE • 06/15/2026
WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Attackers can supply file paths with directory traversal sequences or null byte injection to the gateway parameter in proccess.php to read sensitive files like configuration and system files.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/15/2026
This vulnerability exists within the WordPress Dharma Booking plugin version 2.28.3 and earlier, representing a critical local file inclusion flaw that can be exploited by unauthenticated attackers. The vulnerability stems from insufficient input validation and sanitization of the gateway parameter within the proccess.php file, which directly accepts user-supplied data without proper filtering mechanisms. The flaw allows malicious actors to manipulate the gateway parameter through directory traversal sequences such as ../ or ../../, enabling them to navigate the file system and access sensitive files that should remain protected. Additionally, null byte injection techniques can be employed to bypass certain validation checks and extend the attack surface further. The vulnerability is classified as a local file inclusion issue under CWE-98, which specifically addresses the problem of allowing attackers to include local files through untrusted input. This weakness falls under the ATT&CK technique T1505.003 for server-side include attacks, where adversaries exploit web applications to execute arbitrary code or access restricted files. The impact of this vulnerability is severe as it allows attackers to read configuration files, system files, and potentially sensitive data that could lead to further exploitation or system compromise. Attackers can leverage this flaw to extract database credentials, plugin configurations, and other system-related information that could be used for privilege escalation or lateral movement within the affected environment.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with the capability to potentially gain deeper access to the WordPress installation and underlying system. When attackers successfully exploit this vulnerability, they can access files such as wp-config.php which contains database connection details, potentially leading to database compromise. The vulnerability affects the core functionality of the booking plugin and could allow for complete system compromise if attackers can manipulate the file inclusion process to execute malicious code. The lack of authentication requirements makes this particularly dangerous as any user can attempt to exploit this vulnerability without needing valid credentials. This flaw demonstrates poor input validation practices and highlights the importance of implementing proper sanitization and validation for all user-supplied parameters in web applications. The vulnerability creates a persistent threat vector that remains active until the affected plugin is updated or the vulnerability is patched, making it a significant concern for WordPress administrators and security teams managing multiple sites. Organizations using this plugin are at risk of unauthorized access to their booking systems and potentially broader system compromise.
Mitigation strategies for this vulnerability should include immediate patching of the WordPress Dharma Booking plugin to version 2.28.4 or later, which contains the necessary fixes for the local file inclusion vulnerability. System administrators should implement web application firewall rules to block suspicious directory traversal patterns and null byte sequences in URL parameters. Input validation should be strengthened at the application level to sanitize all gateway parameter values and reject any attempts at directory traversal. Network segmentation and access controls should be implemented to limit exposure of vulnerable systems. Regular security audits and vulnerability assessments should be conducted to identify similar issues in other plugins or components. The remediation process should also include monitoring for exploitation attempts and implementing proper logging of file access patterns. Organizations should also consider implementing automated patch management systems to ensure timely updates of all WordPress plugins and themes. Additionally, security awareness training for administrators can help prevent the installation of vulnerable plugins and ensure proper security practices are followed throughout the organization. The vulnerability serves as a reminder of the critical importance of keeping all web application components updated and implementing defense-in-depth strategies to protect against similar attacks. Regular security assessments and penetration testing should be conducted to identify and remediate similar vulnerabilities before they can be exploited by malicious actors.