Vulnerabilities and security researches forimagemagick-engine imagemagick-engine

Jun 07, 2024

CVE, Research URL: 6cb0395475935241d90680a0eb6309da4bf0ab1a
Home page URL: Security reports for ImageMagick Engine
Application: ImageMagick Engine
Date: Oct 19, 2022
Research Description: ImageMagick Engine [imagemagick-engine] < 1.7.6 WordPress ImageMagick Engine plugin <= 1.7.6 - Auth. Remote Code Execution (RCE) vulnerability Auth. Remote Code Execution (RCE) vulnerability discovered by ABDO10 in WordPress ImageMagick Engine plugin (versions <= 1.7.6). No patched version is available. Version 1.7.6 only added a nonce token to fix the CSRF vulnerability.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-2441
Home page URL: Security reports for ImageMagick Engine
Application: ImageMagick Engine
Date: Oct 20, 2023
Research Description: The ImageMagick Engine plugin for WordPress is vulnerable to remote code execution via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to run arbitrary commands leading to remote command execution, granted they can trick a site administrator into performing an action such as clicking on a link. This makes it possible for an attacker to create and or modify files hosted on the server which can easily grant attackers backdoor access to the affected server.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2022-3568
Home page URL: Security reports for ImageMagick Engine
Application: ImageMagick Engine
Date: Feb 10, 2023
Research Description: The ImageMagick Engine plugin for WordPress is vulnerable to deserialization of untrusted input via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
Affected versions: Min -, max -.
Status: vulnerable

May 19, 2025

CVE, Research URL: CVE-2024-6486
Home page URL: Security reports for ImageMagick Engine
Application: ImageMagick Engine
Date: May 16, 2025
Research Description: The ImageMagick Engine ImageMagick Engine WordPress plugin before 1.7.11 for WordPress is vulnerable to OS Command Injection via the "cli_path" parameter. This allows authenticated attackers, with administrator-level permission to execute arbitrary OS commands on the server leading to remote code execution.
Affected versions: Min -, max -.
Status: vulnerable