Skip to main content

Pixmagix Wordpress Image Editor

1 CVEs product

Monthly

CVE-2026-11367 MEDIUM This Month

Arbitrary file write via directory traversal in the PixMagix WordPress Image Editor plugin (all versions through 1.7.2) allows any authenticated Author-level WordPress user to write attacker-controlled content to arbitrary filesystem paths accessible by the web server process. The vulnerability stems from unsanitized use of the `layers[].id` parameter inside the `move_image_on_server` function, which concatenates user input directly into a PHP `copy()` call without path validation. Because the `save_template` REST endpoint requires only the `create_projects` permission - automatically granted to Author-level users on plugin activation - any contributor-tier account can exploit this to plant PHP webshells and escalate to remote code execution. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.

WordPress Path Traversal Pixmagix Wordpress Image Editor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.5%
EPSS 1% CVSS 6.5
MEDIUM This Month

Arbitrary file write via directory traversal in the PixMagix WordPress Image Editor plugin (all versions through 1.7.2) allows any authenticated Author-level WordPress user to write attacker-controlled content to arbitrary filesystem paths accessible by the web server process. The vulnerability stems from unsanitized use of the `layers[].id` parameter inside the `move_image_on_server` function, which concatenates user input directly into a PHP `copy()` call without path validation. Because the `save_template` REST endpoint requires only the `create_projects` permission - automatically granted to Author-level users on plugin activation - any contributor-tier account can exploit this to plant PHP webshells and escalate to remote code execution. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.

WordPress Path Traversal Pixmagix Wordpress Image Editor
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy