Local File Inclusion Vulnerability in Photocart Link by WordPress
CVE-2016-20077

6.9MEDIUM

Key Information:

Vendor

WordPress
Status
Photocart Link
Vendor
CVE Published:
15 June 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2016-20077?

The Photocart Link plugin version 1.6 for WordPress is impacted by a local file inclusion vulnerability due to insufficient input validation in its decode.php file. This flaw enables unauthenticated attackers to supply malicious base64-encoded file paths through the 'id' parameter. By exploiting this vulnerability, attackers can access sensitive files on the server, such as wp-config.php, compromising database credentials and configuration data. Website owners using this plugin should take immediate action to secure their systems from potential unauthorized access.

Affected Version(s)

Photocart Link 1.6

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2016-20077 - Proof of Concept

References

https://www.exploit-db.com/exploits/39623
exploit
https://fr.wordpress.org/plugins/photocart-link/
product
https://www.vulncheck.com/advisories/wordpress-plugin-pho...
third-party-advisory

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

CrashBandicot @DosPerl
.