CVE-2016-20079 | WordPress Dharma Booking 2.28.3 and earlier contains a local… | CVSS 6.2 MEDIUM

Description

WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Attackers can supply file paths with directory traversal sequences or null byte injection to the gateway parameter in proccess.php to read sensitive files like configuration and system files.

Metadata

CVE ID: CVE-2016-20079
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-15 11:46 UTC
Published: 2026-06-15 12:00 UTC
Last updated: 2026-06-15 16:20 UTC
Primary CWE: CWE-98
Improper Control of Filename for Include/Require Statement i…
Vendor / Product: jamie / Dharma Booking
Sources: cve.org · NVD

Severity & Metrics

6.2 MEDIUM CVSS 3.1

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
jamie	Dharma Booking	—	0 ≤ 2.28.3

Weakness (CWE)

CWE	Source	Description
CWE-98	cna	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CVSS scores (2)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
6.2	MEDIUM	3.1	cna	CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (3)

ExploitDB-39592 https://www.exploit-db.com/exploits/39592
Official Product Homepage https://wordpress.org/plugins/dharma-booking/
VulnCheck Advisory: WordPress Dharma Booking 2.28.3 Local File Inclusion via proccess.php https://www.vulncheck.com/advisories/wordpress-dharma-booking-local-file-inclusion-via-proccess-php