cbcvebase.
CVE-2015-9415
published 2019-09-26

CVE-2015-9415: The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclusion.

PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.40%
87.3th percentile
The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclusion.

Affected

1 ranges
VendorProductVersion rangeFixed in
angrycreativebj_lazy_load< 1.01.0

Detection & IOCsextracted from sources · hover to see the quote

url/wp-content/plugins/bj-lazy-load/thumb.php?src=http://{{interactsh-url}}/{{rand_base(16)}}.jpg
path/wp-content/plugins/bj-lazy-load/thumb.php
path/wp-content/plugins/bj-lazy-load
pathbj-lazy-load/inc/timthumb.php
  • HTTP 400 response containing 'TimThumb Error' body string combined with an outbound HTTP callback (interactsh/OAST) indicates successful RFI trigger via the src parameter of thumb.php.
  • HTTP 200 response with Content-Type 'image/jpeg' and body containing 'gd-jpeg' when requesting thumb.php with an external src URL (e.g. img.youtube.com) confirms the plugin is processing remote files — default-settings exploitation path.
  • The RFI is exploitable via the 'src' GET parameter of thumb.php (TimThumb). When ALLOW_ALL_EXTERNAL_SITES is enabled, any remote URL can be supplied; by default only whitelisted domains (e.g. img.youtube.com) are accepted.
  • Fingerprint vulnerable installations by searching for the plugin path in page bodies: body contains '/wp-content/plugins/bj-lazy-load'.
  • ·The ALLOW_ALL_EXTERNAL_SITES option in timthumb.php must be set to true for arbitrary remote URLs to be fetched; by default only a whitelist of domains (e.g. img.youtube.com) is permitted, limiting the default-settings attack surface.
  • ·The vulnerability affects BJ Lazy Load versions up to and including 0.7.5; version 1.0 contains the fix.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.