cbcvebase.
CVE-2015-1376
published 2015-01-28

CVE-2015-1376: pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to…

PriorityP342medium4CVSS 2.0
AVNACLAuSCNIPAN
EXPLOIT
EPSS
33.97%
98.2th percentile
pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress does not validate hostnames, which allows remote authenticated users to write to arbitrary files via an upload URL with a host other than pixabay.com.

Affected

1 ranges
VendorProductVersion rangeFixed in
pixabay_images_projectpixabay_images<= 2.3

Detection & IOCsextracted from sources · hover to see the quote

filenamepixabay-images.php
  • Look for POST requests to /wp-admin/ containing the parameter 'pixabay_upload=1' combined with an 'image_url' parameter pointing to an external/attacker-controlled host (not pixabay.com). This is the core exploit trigger.
  • Detect path traversal sequences in the 'q' parameter of POST requests to /wp-admin/ (e.g., '../../' patterns), which are used to write files outside the intended 'download' folder.
  • Flag POST requests to /wp-admin/ with Content-Type 'application/x-www-form-urlencoded' containing 'pixabay_upload=1' and an image_url referencing a non-pixabay.com host, as the plugin does not validate the hostname.
  • The plugin does not check if the user is logged in (authentication bypass), so exploit attempts may arrive without a valid WordPress session cookie — monitor unauthenticated POST requests to /wp-admin/ with 'pixabay_upload=1'.
  • The Metasploit module targets this vulnerability to store and execute malicious PHP code; look for newly created PHP files in unexpected WordPress upload/download directories following a pixabay_upload POST.
  • ·The authentication bypass vulnerability means exploitation does not require valid credentials; detections relying solely on authenticated-user monitoring will miss unauthenticated attack attempts.
  • ·Only Pixabay Images plugin versions prior to 2.4 are vulnerable; version 2.4 contains the fix. Ensure the installed plugin version is confirmed before applying detections to avoid false positives on patched installs.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.