PatchSiren cyber security CVE debrief
CVE-2016-20077 KaymeePhotography CVE debrief
CVE-2016-20077 is a local file inclusion vulnerability in WordPress Plugin Photocart Link 1.6. The vulnerability allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php. Attackers can supply base64-encoded file paths in the 'id' parameter to the decode.php endpoint to retrieve sensitive files like wp-config.php containing database credentials and configuration data.
- Vendor
- KaymeePhotography
- Product
- Photocart Link
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of WordPress Plugin Photocart Link 1.6 should be aware of this vulnerability and take action to mitigate it.
Technical summary
The vulnerability has a CVSS score of 6.9 and a severity of MEDIUM. It is recommended that users update to a patched version of the plugin.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to a patched version of WordPress Plugin Photocart Link
- Restrict access to the decode.php endpoint
- Monitor for suspicious activity
Evidence notes
The vulnerability was reported by [email protected] and has references on exploit-db and vulncheck.com.
Official resources
CVE-2016-20077 was published on 2026-06-15T14:16:31.077Z and last modified on 2026-06-15T14:16:31.077Z.