cbcvebase.
CVE-2015-10136
published 2025-07-19

CVE-2015-10136: The GI-Media Library plugin for WordPress is vulnerable to Directory Traversal in versions before 3.0 via the 'fileid' parameter. This allows unauthenticated…

PriorityP259high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
2.04%
78.7th percentile
The GI-Media Library plugin for WordPress is vulnerable to Directory Traversal in versions before 3.0 via the 'fileid' parameter. This allows unauthenticated attackers to read the contents of arbitrary files on the server, which can contain sensitive information.

Affected

2 ranges
VendorProductVersion rangeFixed in
zishanjgi-media-library< 3.03.0
zishanjgi-media_library< 3.03.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-content/plugins/gi-media-library/
otherfileid
  • Monitor HTTP requests containing the 'fileid' parameter targeting the GI-Media Library WordPress plugin endpoint for directory traversal sequences (e.g., '../').
  • Unauthenticated requests exploiting this vulnerability — no authentication required, so any source IP may be an attacker; look for traversal patterns in the fileid parameter from unauthenticated sessions.
  • The Metasploit auxiliary module wp_gimedia_library_file_read.rb can be used to validate exposure; detect scanner activity targeting this plugin path.
  • ·Vulnerability affects GI-Media Library versions before 3.0; version 2.2.2 is explicitly confirmed vulnerable. Ensure version checks target this range.
  • ·Exploitation is performed with web server privileges, meaning file read access is limited to files readable by the web server user (e.g., www-data on Ubuntu).
  • ·The Metasploit module was tested on GI-Media Library 2.2.2 with WordPress 4.1.3 on Ubuntu 12.04 Server; behavior on other OS/WordPress version combinations may differ.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.