CVE-2009-4672

WP-Lytebox 1.3 - Path Traversal via pg Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-4672. PoCs published by TurkGuvenligi.

AI-analyzed exploit summary This exploit demonstrates a Local File Include (LFI) and Remote Code Execution (RCE) vulnerability in the WP Plugin Lytebox. The LFI allows reading arbitrary files, while the RCE is achieved by injecting PHP code into the Apache access log and including it via the LFI.

Description

Directory traversal vulnerability in main.php in the WP-Lytebox plugin 1.3 for WordPress allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the pg parameter.

Exploits (1)

exploitdb WORKING POC VERIFIED
by TurkGuvenligi · textwebappsphp
https://www.exploit-db.com/exploits/8791

This exploit demonstrates a Local File Include (LFI) and Remote Code Execution (RCE) vulnerability in the WP Plugin Lytebox. The LFI allows reading arbitrary files, while the RCE is achieved by injecting PHP code into the Apache access log and including it via the LFI.

Classification
Working Poc 90%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: WP Plugin Lytebox (version not specified)
No auth needed
Prerequisites: Target must have the vulnerable WP Plugin Lytebox installed · Apache access logs must be writable by the attacker
mistral-large-3 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/8791
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/35244
Exploit vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/35098

Scores

EPSS 0.0908
EPSS Percentile 94.7%

Details

CWE
CWE-22
Status published
Products (1)
grupenet/wp-lytebox 1.3
Published Mar 05, 2010
Tracked Since Feb 18, 2026