CVE-2026-11367 in PixMagix Plugin
Summary
by MITRE • 06/30/2026
The PixMagix – WordPress Image Editor plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 1.7.2 via the move_image_on_server function. This makes it possible for authenticated attackers, with author-level access and above, to write files with attacker-controlled content to arbitrary locations on the server. The unsanitized 'layers[].id' parameter is concatenated into a filesystem path and passed to PHP's copy() function, allowing traversal sequences (e.g. '../../') to escape the intended upload directory and write attacker-supplied file contents to arbitrary paths accessible by the web server process. The save_template REST endpoint is gated by the create_projects permission (edit_pixmagix + upload_files), which Author-level users hold by default after plugin activation, making this exploitable by any Author on sites running PixMagix.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 06/30/2026
The PixMagix WordPress plugin presents a critical directory traversal vulnerability that affects all versions up to and including 1.7.2, constituting a significant security risk for WordPress installations. This vulnerability resides within the move_image_on_server function which fails to properly sanitize user input before incorporating it into filesystem operations. The flaw specifically manifests through the unsanitized 'layers[].id' parameter that gets directly concatenated into a filesystem path and subsequently passed to PHP's copy() function, creating an exploitable condition where malicious actors can manipulate file system access patterns.
The technical implementation of this vulnerability enables authenticated attackers with author-level privileges or higher to execute arbitrary file writing operations across the server filesystem. The directory traversal occurs when traversal sequences such as '../../' are injected into the 'layers[].id' parameter, allowing adversaries to escape the intended upload directory boundaries and write attacker-controlled content to arbitrary locations accessible by the web server process. This vulnerability operates at the core level of file system manipulation within WordPress plugin architecture, exploiting inadequate input validation mechanisms that should have prevented path injection attacks.
The operational impact of this vulnerability extends beyond typical plugin security concerns as it grants attackers the ability to place malicious files anywhere within the web server's accessible directories. The save_template REST endpoint serves as the attack vector since it requires only the create_projects permission which is automatically granted to authors upon plugin activation, making this exploitation accessible to any user with author-level access on affected sites. This broad accessibility significantly increases the attack surface and potential for successful exploitation across various WordPress installations.
Security implications of this vulnerability align with CWE-22 Directory Traversal and can be mapped to ATT&CK techniques related to privilege escalation and persistence through file system manipulation. The vulnerability represents a classic case of insufficient input sanitization where user-controllable data flows directly into critical system operations without proper validation or normalization. Organizations running affected versions of PixMagix face elevated risk of unauthorized code execution, data compromise, and potential full system takeover if attackers leverage this vulnerability effectively.
Mitigation strategies should include immediate plugin updates to versions that address the directory traversal flaw, along with implementing network-level restrictions on REST API endpoints to limit access to authorized users only. Administrators should also consider implementing additional security measures such as file integrity monitoring, web application firewalls, and restricting unnecessary permissions for author-level users. The vulnerability demonstrates the critical importance of input validation in plugin development and highlights the need for proper sandboxing mechanisms that prevent unauthorized file system access patterns even when user privileges are elevated.