Description
WP Vault 0.8.6.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting an unescaped parameter in the include functionality. Attackers can supply directory traversal sequences through the wpv-image GET parameter to access sensitive files like system configuration and credentials.
Published: 2026-06-09
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WP Vault 0.8.6.6 contains a local file inclusion flaw that allows unauthenticated users to read arbitrary files on the web server. The vulnerability is triggered by supplying a directory traversal sequence in the wpv-­image GET parameter, which the plugin does not properly escape. By exploiting this weakness, an attacker can access sensitive files such as system configuration files and credential stores; this is a classic CWE‑98 – Unescaped Input in File Inclusion.

Affected Systems

The flaw affects the WP Vault plugin version 0.8.6.6, developed by myasui for WordPress sites, and any site running this plugin without an updated version will be vulnerable.

Risk and Exploitability

With a CVSS score of 6.9, the vulnerability presents a moderate severity risk. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, but it remains exploitable because no authentication is required and the plugin simply parses the GET parameter. An attacker only needs to construct a URL such as /?wpv-image=../../../../etc/passwd to read arbitrary files, indicating that, if the plugin is present and not patched, the risk is tangible.

Generated by OpenCVE AI on June 9, 2026 at 13:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Vault plugin to the latest released version that removes the LFI vulnerability.
  • If an update is not possible, remove or disable the wpv-­image parameter in the plugin’s code or remove the plugin entirely to eliminate the vulnerable entry point.
  • Apply server‑side filtering, such as ModSecurity rules or an .htaccess rewrite, to block directory‑traversal patterns and ensure any remaining file inclusion operates on a sanitized, whitelisted set of paths.

Generated by OpenCVE AI on June 9, 2026 at 13:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Myasui
Myasui wp Vault
Wordpress
Wordpress wordpress
Vendors & Products Myasui
Myasui wp Vault
Wordpress
Wordpress wordpress

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Description WP Vault 0.8.6.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting an unescaped parameter in the include functionality. Attackers can supply directory traversal sequences through the wpv-image GET parameter to access sensitive files like system configuration and credentials.
Title WP Vault 0.8.6.6 Local File Inclusion via wpv-image Parameter
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Myasui Wp Vault
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-09T13:16:31.313Z

Reserved: 2026-06-09T11:39:35.346Z

Link: CVE-2016-20064

cve-icon Vulnrichment

Updated: 2026-06-09T13:16:26.112Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T13:16:33.640

Modified: 2026-06-09T13:51:18.770

Link: CVE-2016-20064

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T20:20:59Z

Weaknesses