CVE-2015-9415
published 2019-09-26CVE-2015-9415: The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclusion.
PriorityP276high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.40%
87.3th percentile
The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclusion.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| angrycreative | bj_lazy_load | < 1.0 | 1.0 |
Detection & IOCsextracted from sources · hover to see the quote
- →HTTP 400 response containing 'TimThumb Error' body string combined with an outbound HTTP callback (interactsh/OAST) indicates successful RFI trigger via the src parameter of thumb.php. ↗
- →HTTP 200 response with Content-Type 'image/jpeg' and body containing 'gd-jpeg' when requesting thumb.php with an external src URL (e.g. img.youtube.com) confirms the plugin is processing remote files — default-settings exploitation path. ↗
- →The RFI is exploitable via the 'src' GET parameter of thumb.php (TimThumb). When ALLOW_ALL_EXTERNAL_SITES is enabled, any remote URL can be supplied; by default only whitelisted domains (e.g. img.youtube.com) are accepted. ↗
- →Fingerprint vulnerable installations by searching for the plugin path in page bodies: body contains '/wp-content/plugins/bj-lazy-load'. ↗
- ·The ALLOW_ALL_EXTERNAL_SITES option in timthumb.php must be set to true for arbitrary remote URLs to be fetched; by default only a whitelist of domains (e.g. img.youtube.com) is permitted, limiting the default-settings attack surface. ↗
- ·The vulnerability affects BJ Lazy Load versions up to and including 0.7.5; version 1.0 contains the fix. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h25w-4mmp-wx8j: The bj-lazy-load plugin before 1
ghsa_unreviewed·2022-05-24
CVE-2015-9415 [HIGH] CWE-20 GHSA-h25w-4mmp-wx8j: The bj-lazy-load plugin before 1
The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclusion.
VulnCheck
angrycreative bj_lazy_load Improper Input Validation
vulncheck·2015·CVSS 7.5
CVE-2015-9415 [HIGH] angrycreative bj_lazy_load Improper Input Validation
angrycreative bj_lazy_load Improper Input Validation
The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclusion.
Affected: angrycreative bj_lazy_load
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/bj-lazy-load/bj-lazy-load-10-remote-file-inclusion-via-timthumb; https://app.crowdsec.net/cti/cve-explorer/CVE-2015-9415
No detection rules found.
Nuclei
BJ Lazy Load (Timthumb) <= 0.7.5 - Remote File Inclusion
nuclei·CVSS 7.5
CVE-2015-9415 [HIGH] BJ Lazy Load (Timthumb) <= 0.7.5 - Remote File Inclusion
BJ Lazy Load (Timthumb) <= 0.7.5 - Remote File Inclusion
The BJ Lazy Load plugin v0.7.5 for WordPress has a Remote File Inclusion vulnerability via TimThumb.
Template:
id: CVE-2015-9415
info:
name: BJ Lazy Load (Timthumb) <= 0.7.5 - Remote File Inclusion
author: s4e-io
severity: high
description: |
The BJ Lazy Load plugin v0.7.5 for WordPress has a Remote File Inclusion vulnerability via TimThumb.
impact: |
Attackers can include and execute remote malicious files, potentially leading to remote code execution and complete site compromise.
remediation: Fixed in 1.0
reference:
- https://wpscan.com/vulnerability/c15aef94-822d-40eb-80a6-e4a0611cb5c1/
- https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/bj-lazy-load/bj-lazy-load-10-remote-file-inclusion-via-timthumb
- h
No writeups or analysis indexed.
2019-09-26
Published
Exploited in the wild