CVE-2015-9415

HIGH EXPLOITED NUCLEI

bj_lazy_load < 1.0 - Remote File Inclusion

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2015-9415 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 1 public exploit from researchers including halilkirazkaya. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository provides a functional PoC for CVE-2015-9415, demonstrating a Remote File Inclusion (RFI) vulnerability in the bj-lazy-load WordPress plugin. The exploit leverages the `src` parameter in `thumb.php` to include arbitrary remote files.

Description

The bj-lazy-load plugin before 1.0 for WordPress has Remote File Inclusion.

Exploits (1)

github WORKING POC 4 stars
by halilkirazkaya · poc
https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2015/CVE-2015-9415.md

The repository provides a functional PoC for CVE-2015-9415, demonstrating a Remote File Inclusion (RFI) vulnerability in the bj-lazy-load WordPress plugin. The exploit leverages the `src` parameter in `thumb.php` to include arbitrary remote files.

Classification
Working Poc 90%
Attack Type
Rfi
Complexity
Trivial
Reliability
Reliable
Target: bj-lazy-load WordPress plugin before 1.0
No auth needed
Prerequisites: WordPress site with vulnerable bj-lazy-load plugin installed
devstral-2 · analyzed Feb 27, 2026 Full analysis →

Nuclei Templates (1)

BJ Lazy Load (Timthumb) <= 0.7.5 - Remote File Inclusion
HIGHVERIFIEDby s4e-io
FOFA: body="/wp-content/plugins/bj-lazy-load"

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpvulndb.com/vulnerabilities/8174
Product, Third Party Advisory x_refsource_misc
https://wordpress.org/plugins/bj-lazy-load/#developers

Scores

CVSS v3 7.5
EPSS 0.1670
EPSS Percentile 95.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

VulnCheck KEV 2015-09-02
CWE
CWE-20
Status published
Products (1)
angrycreative/bj_lazy_load < 1.0
Published Sep 26, 2019
Tracked Since Feb 18, 2026