CVE-2015-1366

pixabay_images < 2.3 - Cross-Site Scripting via image_user Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-1366. PoCs published by Hans-Martin Muench.

AI-analyzed exploit summary This Python script exploits an authentication bypass and arbitrary file upload vulnerability in the WP Pixabay Images WordPress plugin (version 2.3). It allows an attacker to upload a malicious PHP file from a remote URL to a target WordPress site by leveraging path traversal and lack of host validation.

Description

Cross-site scripting (XSS) vulnerability in pixabay-images.php in the Pixabay Images plugin before 2.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via the image_user parameter.

Exploits (1)

exploitdb WORKING POC

by Hans-Martin Muench · textwebappsphp

https://www.exploit-db.com/exploits/35846

View Code ZIP pw:eip

This Python script exploits an authentication bypass and arbitrary file upload vulnerability in the WP Pixabay Images WordPress plugin (version 2.3). It allows an attacker to upload a malicious PHP file from a remote URL to a target WordPress site by leveraging path traversal and lack of host validation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: WP Pixabay Images WordPress Plugin 2.3

No auth needed

Prerequisites: Target running vulnerable WP Pixabay Images plugin (2.3) · Network access to the WordPress admin interface

MITRE ATT&CK