Description
The PixMagix – WordPress Image Editor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.2 via the move_image_on_server function. This makes it possible for authenticated attackers, with author-level access and above, to write files with attacker-controlled content to arbitrary locations on the server. The unsanitized 'layers[].id' parameter is concatenated into a filesystem path and passed to PHP's copy() function, allowing traversal sequences (e.g. '../../') to escape the intended upload directory and write attacker-supplied file contents to arbitrary paths accessible by the web server process. The save_template REST endpoint is gated by the create_projects permission (edit_pixmagix + upload_files), which Author-level users hold by default after plugin activation, making this exploitable by any Author on sites running PixMagix.
Published: 2026-06-30
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The PixMagix – WordPress Image Editor plugin contains a directory traversal flaw where the layers[].id parameter is unsanitized and concatenated into a filesystem path used by PHP's copy() function, allowing an authenticated user with author-level access to write arbitrary files that the web server can serve, potentially leading to code execution, site defacement, or data exposure. This is a classic CWE‑22 vulnerability.

Affected Systems

Any WordPress site that has the PixMagix plugin installed at version 1.7.2 or earlier is affected. The flaw exists in the rest-callback-save-template API endpoint invoked through the move_image_on_server function, which is available to users who possess the create_projects permission—a permission that Author users inherit by default after plugin activation.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5 and is not listed in the CISA KEV catalog. The attack vector requires legitimate author or higher credentials but because most WordPress sites grant many users the Author role, a large attack surface exists. Exploiting the flaw involves sending a crafted layers[].id value containing traversal sequences such as ../../ and relying on the copy() operation to create a file at an arbitrary path, with the resulting file content supplied by the attacker. Since no additional conditions are required beyond the normal plugin usage, the likelihood of exploitation is moderate, and the impact could be severe if a PHP file is written and executed.

Generated by OpenCVE AI on June 30, 2026 at 07:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the PixMagix plugin to the latest version that removes the vulnerable logic, or uninstall it if no longer needed.
  • If an update is unavailable, restrict the Author role from having the create_projects permission or disable the rest‑callback‑save‑template endpoint via role‑capability changes or a security plugin.
  • Apply file system permission hardening on the web‑root and the plugin’s upload directories to prevent unexpected writable files from being executed, and monitor for unauthorized files.

Generated by OpenCVE AI on June 30, 2026 at 07:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 06:00:00 +0000

Type Values Removed Values Added
Description The PixMagix – WordPress Image Editor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.2 via the move_image_on_server function. This makes it possible for authenticated attackers, with author-level access and above, to write files with attacker-controlled content to arbitrary locations on the server. The unsanitized 'layers[].id' parameter is concatenated into a filesystem path and passed to PHP's copy() function, allowing traversal sequences (e.g. '../../') to escape the intended upload directory and write attacker-supplied file contents to arbitrary paths accessible by the web server process. The save_template REST endpoint is gated by the create_projects permission (edit_pixmagix + upload_files), which Author-level users hold by default after plugin activation, making this exploitable by any Author on sites running PixMagix.
Title PixMagix <= 1.7.2 - Authenticated (Author+) Path Traversal in 'layers[].id' Parameter
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-30T04:30:18.532Z

Reserved: 2026-06-05T11:58:32.095Z

Link: CVE-2026-11367

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T07:30:06Z

Weaknesses
  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')