CVE-2016-20079 PUBLISHED

WordPress Dharma Booking 2.28.3 Local File Inclusion via proccess.php

Assigner: VulnCheck
Reserved: 15.06.2026 Published: 15.06.2026 Updated: 15.06.2026

WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Attackers can supply file paths with directory traversal sequences or null byte injection to the gateway parameter in proccess.php to read sensitive files like configuration and system files.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 6.9

Product Status

Vendor jamie
Product Dharma Booking
Versions
  • affected from 0 to 2.28.3 (incl.)

Credits

  • AMAR^SHG finder

References

Problem Types

  • Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') CWE