๐Ÿ” CVE Alert

CVE-2022-3568

HIGH 8.8

ImageMagick Engine <= 1.7.5 - Cross-Site Request Forgery to PHAR Deserialization

CVSS Score
8.8
EPSS Score
0.0%
EPSS Percentile
0th

The ImageMagick Engine plugin for WordPress is vulnerable to deserialization of untrusted input via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.

CWE CWE-502
Vendor rickardw
Product imagemagick engine
Published Feb 9, 2023
Last Updated Apr 8, 2026
Stay Ahead of the Next One

Get instant alerts for rickardw imagemagick engine

Be the first to know when new high vulnerabilities affecting rickardw imagemagick engine are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

rickardw / ImageMagick Engine
0 โ‰ค 1.7.5

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/4a2ca2f0-1d4a-4614-86ba-a46e765f4a9f?source=cve github.com: https://github.com/orangelabweb/imagemagick-engine/blob/1.7.4/imagemagick-engine.php#L529 github.com: https://github.com/orangelabweb/imagemagick-engine/blob/v.1.7.2/imagemagick-engine.php#L529 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2801283%40imagemagick-engine&new=2801283%40imagemagick-engine&sfp_email=&sfph_mail= wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/4a2ca2f0-1d4a-4614-86ba-a46e765f4a9f

Credits

Rasoul Jahanshahi