Directory Traversal Vulnerability in PixMagix – WordPress Image Editor Plugin
CVE-2026-11367

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Pixmagix – WordPress Image Editor
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-11367?

The PixMagix – WordPress Image Editor plugin is exposed to directory traversal vulnerabilities that allow authenticated users with author-level privileges to write arbitrary files to any location on the server. This issue arises from the unsafe handling of user input in the move_image_on_server function, which improperly sanitizes file paths. The plugin's save_template API endpoint can potentially allow attackers to utilize traversal sequences to access sensitive areas of the filesystem, leading to severe security risks. All versions up to and including 1.7.2 are affected.

Affected Version(s)

PixMagix – WordPress Image Editor 0 <= 1.7.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/pixmagix/tags/...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 5, 2026

Credit

devploit

CVE-2026-11367 Data

JSON