PatchSiren cyber security CVE debrief
CVE-2016-20080 Brandfolder CVE debrief
CVE-2016-20080 is a local file inclusion vulnerability in the WordPress Brandfolder plugin version 3.0 and earlier. The vulnerability allows unauthenticated attackers to include arbitrary files by manipulating the wp_abspath parameter in callback.php. Attackers can supply path traversal sequences or remote URLs through the wp_abspath parameter to read sensitive files like wp-config.php or execute remote code.
- Vendor
- Brandfolder
- Product
- Unknown
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of WordPress Brandfolder plugin version 3.0 and earlier should apply patches or mitigations to prevent exploitation.
Technical summary
The WordPress Brandfolder plugin version 3.0 and earlier contains a local file inclusion vulnerability in callback.php. The vulnerability is due to improper handling of the wp_abspath parameter, which allows unauthenticated attackers to include arbitrary files.
Defensive priority
MEDIUM
Recommended defensive actions
- Apply patches or updates to WordPress Brandfolder plugin version 3.0 and earlier.
- Restrict access to callback.php.
- Monitor for suspicious activity.
Evidence notes
The CVE-2016-20080 vulnerability has a CVSS score of 6.9 and is classified as MEDIUM severity.
Official resources
CVE-2016-20080 was published on 2026-06-15T14:16:31.503Z and has not been modified.