CVE-2016-20064

Description

WP Vault 0.8.6.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting an unescaped parameter in the include functionality. Attackers can supply directory traversal sequences through the wpv-image GET parameter to access sensitive files like system configuration and credentials.

PUBLISHED Reserved 2026-06-09 | Published 2026-06-09 | Updated 2026-06-09 | Assigner VulnCheck

Problem types

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Product status

Credits

Lenon Leite finder

References

www.exploit-db.com/exploits/40850 (ExploitDB-40850) exploit

wordpress.org/plugins/wp-vault/ (Official Product Homepage) product

lenonleite.com.br/ (Official Product Homepage) product

www.vulncheck.com/...-file-inclusion-via-wpv-image-parameter (VulnCheck Advisory: WP Vault 0.8.6.6 Local File Inclusion via wpv-image Parameter) third-party-advisory

cve.org (CVE-2016-20064)

nvd.nist.gov (CVE-2016-20064)

Download JSON