CVE-2016-20077
WordPress Plugin Photocart Link 1.6 Local File Inclusion via decode.php
Vexday Risk Score
33Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 6.9EPSS 0.4%KEV nãoPoC públicaNuclei —Metasploit —Patch —
Lifecycle
15 Jun 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php. Attackers can supply base64-encoded file paths in the 'id' parameter to the decode.php endpoint to retrieve sensitive files like wp-config.php containing database credentials and configuration data.
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
KaymeePhotography · Photocart Linkpublic PoCs found — 1
cve_referencewww.exploit-db.com/exploits/39623unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →