Skip to main content

PixMagix WordPress Plugin CVE-2026-11367

| EUVDEUVD-2026-40253 MEDIUM
Path Traversal (CWE-22)
2026-06-30 Wordfence GHSA-pmh9-5c73-wc86
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

File-write primitive yields I:H and C:N; PR:L reflects mandatory Author-level authentication; provided vector's C:H/I:N assignment is inconsistent with the described write-only behavior.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 30, 2026 - 06:16 vuln.today
CVE Published
Jun 30, 2026 - 04:30 cve.org
MEDIUM 6.5

DescriptionCVE.org

The PixMagix - WordPress Image Editor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.2 via the move_image_on_server function. This makes it possible for authenticated attackers, with author-level access and above, to write files with attacker-controlled content to arbitrary locations on the server. The unsanitized 'layers[].id' parameter is concatenated into a filesystem path and passed to PHP's copy() function, allowing traversal sequences (e.g. '../../') to escape the intended upload directory and write attacker-supplied file contents to arbitrary paths accessible by the web server process. The save_template REST endpoint is gated by the create_projects permission (edit_pixmagix + upload_files), which Author-level users hold by default after plugin activation, making this exploitable by any Author on sites running PixMagix.

AnalysisAI

Arbitrary file write via directory traversal in the PixMagix WordPress Image Editor plugin (all versions through 1.7.2) allows any authenticated Author-level WordPress user to write attacker-controlled content to arbitrary filesystem paths accessible by the web server process. The vulnerability stems from unsanitized use of the layers[].id parameter inside the move_image_on_server function, which concatenates user input directly into a PHP copy() call without path validation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Author-level WordPress credentials
Delivery
Craft POST to /wp-json save_template endpoint
Exploit
Inject traversal path in layers[].id parameter
Execution
PHP copy() writes attacker content to arbitrary server path
Persist
Request written PHP webshell via HTTP
Impact
Execute arbitrary commands as web server process

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated WordPress user account with Author-level privileges or higher on the target site. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, score 6.5) contains a notable inconsistency: the description unambiguously describes a file-write vulnerability, yet the vector assigns C:H (Confidentiality: High) with I:N (Integrity: None). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid Author-level WordPress account on a site running PixMagix sends a crafted POST request to the `save_template` REST endpoint, embedding traversal sequences such as `../../` in the `layers[].id` field along with PHP webshell content as the file body. The unsanitized path is passed to `copy()`, writing the webshell outside the upload directory - for example, to the webroot. …
Remediation The primary remediation is to update PixMagix to a version above 1.7.2; however, no patched release version has been independently confirmed in the available data - the fix status should be verified directly in the WordPress plugin repository or via the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/c87adbd9-3b09-403e-921a-31b3f58962e9. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11367 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy