Pixmagix Wordpress Image Editor
Monthly
Arbitrary file write via directory traversal in the PixMagix WordPress Image Editor plugin (all versions through 1.7.2) allows any authenticated Author-level WordPress user to write attacker-controlled content to arbitrary filesystem paths accessible by the web server process. The vulnerability stems from unsanitized use of the `layers[].id` parameter inside the `move_image_on_server` function, which concatenates user input directly into a PHP `copy()` call without path validation. Because the `save_template` REST endpoint requires only the `create_projects` permission - automatically granted to Author-level users on plugin activation - any contributor-tier account can exploit this to plant PHP webshells and escalate to remote code execution. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.
Arbitrary file write via directory traversal in the PixMagix WordPress Image Editor plugin (all versions through 1.7.2) allows any authenticated Author-level WordPress user to write attacker-controlled content to arbitrary filesystem paths accessible by the web server process. The vulnerability stems from unsanitized use of the `layers[].id` parameter inside the `move_image_on_server` function, which concatenates user input directly into a PHP `copy()` call without path validation. Because the `save_template` REST endpoint requires only the `create_projects` permission - automatically granted to Author-level users on plugin activation - any contributor-tier account can exploit this to plant PHP webshells and escalate to remote code execution. No public exploit code has been identified at time of analysis, and no CISA KEV listing is present.