CVE-2016-20064: WP Vault 0.8.6.6 Arbitrary File Read via Directory Traversal
WP Vault version 0.8.6.6 contains a local file inclusion (LFI) vulnerability that allows unauthenticated attackers to read arbitrary files from the server. An attacker can manipulate the wpv-image GET parameter to include directory traversal sequences (such as ../../../etc/passwd) and access sensitive files including system configuration files, credentials, and other protected data. No user authentication is required to exploit this vulnerability.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.2 MEDIUM · CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-98
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-09 / 2026-06-17
NVD description (verbatim)
WP Vault 0.8.6.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting an unescaped parameter in the include functionality. Attackers can supply directory traversal sequences through the wpv-image GET parameter to access sensitive files like system configuration and credentials.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in WP Vault 0.8.6.6's include functionality, which fails to properly sanitize or escape the wpv-image parameter before passing it to file inclusion operations. This is a classic arbitrary file read vulnerability classified as Improper Input Validation (CWE-98). An unauthenticated remote attacker can supply path traversal sequences via the GET parameter to break out of intended directory boundaries and access files anywhere on the web server's filesystem. The vulnerability affects the confidentiality of stored data but does not enable code execution, data modification, or service disruption based on the attack vector alone.
Business impact
This vulnerability exposes your organization to unauthorized disclosure of sensitive information stored on servers running WP Vault. Attackers could extract database configuration files, authentication credentials, private keys, API tokens, customer data, and other confidential information without any legitimate access. Such disclosures can lead to regulatory compliance violations (GDPR, HIPAA, PCI DSS depending on data types exposed), reputational damage, secondary compromises leveraging stolen credentials, and potential legal liability. The attack requires no authentication and can be automated at scale, making this a persistent exposure if left unpatched.
Affected systems
Any deployment of WP Vault version 0.8.6.6 is vulnerable. Organizations running this plugin should immediately inventory affected installations. The vulnerability does not appear in the vendor_products field data available, so verify your specific deployment version and configuration. If your installation has been updated beyond 0.8.6.6, confirm the update version number against the vendor's advisory to ensure the LFI has been remediated.
Exploitability
This vulnerability has a CVSS v3.1 score of 6.2 (MEDIUM) with a local attack vector (AV:L), reflecting that the attacker must have some level of local network or filesystem access context. However, the lack of privilege requirements (PR:N) and user interaction (UI:N) means any unauthenticated user on the network segment can attempt exploitation. The attack is trivial to execute—simply crafting a malicious URL with directory traversal sequences in the wpv-image parameter. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, but the simplicity of exploitation and the high value of the exposed information suggest this could attract attacker attention once publicly disclosed.
Remediation
Immediately upgrade WP Vault to a patched version released after June 2026. Contact the plugin vendor for the specific version number and patch release notes. If an immediate patch is unavailable, consider disabling or removing WP Vault from production environments until a fix is confirmed. Review server access logs for evidence of exploitation attempts using patterns like '../' in the wpv-image parameter. Conduct a forensic review of potentially exposed files to determine if credential compromise has occurred and rotate any exposed secrets.
Patch guidance
Apply the vendor's patched version of WP Vault as soon as it becomes available. The vendor advisory will specify the minimum version required to resolve CWE-98 (Improper Input Validation). Verify in your change control system that the update has been deployed to all affected instances. Test the patch in a staging environment first to ensure no compatibility issues with your WordPress configuration. Once deployed, confirm that the wpv-image parameter is now properly escaped and that directory traversal sequences are rejected or safely neutralized.
Detection guidance
Monitor web server access logs for GET requests containing the wpv-image parameter paired with path traversal sequences such as '../', '..\\', or URL-encoded variants (%2e%2e%2f). Implement WAF rules to block requests to WP Vault endpoints that include traversal patterns. Conduct file integrity monitoring on sensitive files (config files, credential stores) to detect unauthorized read access. Review WordPress plugin audit logs if available. Search for indicators of compromise: unusual file access patterns in server logs, evidence of configuration file exfiltration, and signs of credential reuse from exposed secrets. Correlate timestamps with any known vulnerability disclosure dates.
Why prioritize this
Although the CVSS score is MEDIUM (6.2), this vulnerability warrants high prioritization because it enables unauthenticated, effortless information disclosure with no exploitation complexity. The attack surface is the entire unauthenticated internet if your WP Vault instance is accessible remotely. The impact—exposure of configuration, credentials, and customer data—directly threatens compliance, incident response capability, and downstream security. Organizations using WP Vault should treat this as a critical operational priority for patching and forensic review, regardless of the numeric CVSS score.
Risk score, explained
The CVSS v3.1 score of 6.2 reflects a MEDIUM severity rating based on a local attack vector and no impact to integrity or availability. However, this score may underrepresent real-world risk in environments where the affected server is internet-facing and accessible without VPN or IP restrictions. The 'L' in Attack Vector accounts for the assumption that an attacker must be on the local network segment, but in many cloud and hybrid environments, the effective attack vector is network-adjacent or network-accessible. Organizations should apply contextual risk scoring: if WP Vault is publicly accessible over the internet, escalate this to HIGH priority; if it is behind a firewall and accessible only to trusted users, the MEDIUM score is more representative.
Frequently asked questions
Can an attacker execute code using this vulnerability?
No. The vulnerability allows arbitrary file *reading* only (information disclosure). It does not enable code execution, command injection, or service disruption. However, exposed credentials or configuration files can be leveraged for follow-on attacks.
Does WP Vault need to be publicly accessible on the internet for this vulnerability to be exploited?
The CVSS vector specifies a local attack vector (AV:L), suggesting the attacker must be on the local network. However, this depends on your deployment. If your WP Vault instance is accessible via the internet without authentication, the practical attack vector is network-level. Review your firewall rules and access controls to determine your actual exposure.
What files are most critical to protect from disclosure in this attack?
Priority targets include: database configuration files (wp-config.php if WordPress), authentication tokens, API keys, SSL certificates, SSH keys, /etc/passwd, /etc/shadow equivalents, and any files containing customer PII or payment information. Review your server's file structure and mark sensitive files for access control enforcement after patching.
Is this vulnerability being actively exploited?
The vulnerability is not currently listed in the CISA KEV catalog as of the publication date, indicating no widely known active exploitation campaign has been documented. However, given the simplicity of the attack and the value of the information disclosed, preventive patching is essential before public exploit code becomes available.
This analysis is provided for informational purposes and reflects information available as of the publication date. The vulnerability details, vendor advisory, and patch availability are subject to change. Organizations should verify all patch versions and compatibility against the official vendor advisory before deployment. No exploit code or weaponized proof-of-concept is provided. This is not a substitute for professional security assessment or vendor communication. Always test patches in staging environments before production deployment. If you have evidence of active exploitation or compromise, contact your incident response team and relevant authorities immediately. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-53440HIGHAxiomthemes Confidant PHP Local File Inclusion (LFI) Vulnerability – CVSS 8.1 HIGH
- CVE-2025-58024HIGHUnboundStudio Accordion FAQ Local File Inclusion Vulnerability – CVSS 7.5 HIGH
- CVE-2025-58705HIGHCrafti PHP Local File Inclusion (LFI) Vulnerability – Patch Guide
- CVE-2025-58707HIGHPHP Local File Inclusion in Axiomthemes Spin 1.8
- CVE-2025-58897HIGHAxiomthemes Fermentio PHP Local File Inclusion Vulnerability (CVSS 8.1)
- CVE-2025-68886HIGHandroThemes Cookiteer PHP Local File Inclusion Vulnerability – CVSS 8.1
- CVE-2025-69369HIGHAxiomthemes Racquet File Inclusion Vulnerability (CVSS 8.1)
- CVE-2026-37266HIGHResponsive File Manager 9.14.0 Remote Code Execution via force_download.php