PatchSiren cyber security CVE debrief
CVE-2016-20078 Henrique Dias CVE debrief
CVE-2016-20078 is a local file inclusion vulnerability in WordPress IMDb Profile Widget version 1.0.8. This vulnerability allows unauthenticated attackers to read arbitrary files by manipulating the URL parameter in GET requests to `pic.php`. Attackers can supply directory traversal sequences to access sensitive files, such as `wp-config.php`, which contains database credentials and configuration data.
- Vendor
- Henrique Dias
- Product
- IMDb Profile Widget
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of WordPress IMDb Profile Widget version 1.0.8 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability has a CVSS score of 6.9 and is classified as MEDIUM severity. It can be exploited locally with low attack complexity and no privileges required.
Defensive priority
MEDIUM
Recommended defensive actions
- Update WordPress IMDb Profile Widget to a version that is not vulnerable.
- Restrict access to `pic.php` to authenticated users only.
- Monitor `pic.php` for suspicious activity.
Evidence notes
Evidence from [ref-5](https://www.exploit-db.com/exploits/39621) and [ref-6](https://www.vulncheck.com/advisories/wordpress-imdb-profile-widget-local-file-inclusion-via-pic-php) suggests that this vulnerability can be exploited via directory traversal sequences in GET requests.
Official resources
CVE-2016-20078 was published on 2026-06-15T14:16:31.220Z and has not been modified since.