This script is possibly vulnerable to a Padding Oracle Attack. At Eurocrypt 2002, Vaudenay introduced a powerful side-channel attack, which is called padding oracle attack, against CBC-mode encryption with PKCS#5 padding. If there is an oracle which on receipt of a ciphertext, decrypts it and then replies to the sender whether the padding is correct or not, Vaudenay shows how to use that oracle to efficiently decrypt data without knowing the encryption key.
Consult Web References for more information about the padding oracle attack.
WordPress Plugin iThemes Security (formerly Better WP Security) Information Disclosure (5.1.1)
Zend framework configuration file information disclosure
WordPress Plugin W3 Total Cache Arbitrary File Disclosure (0.9.3)
WordPress Plugin User Profile Picture Information Disclosure (2.4.0)
WordPress Plugin Memphis Documents Library Arbitrary File Download (3.1.5)