WordPress Plugin Vulnerabilities

ImageMagick-Engine < 1.7.6 - Command Injection via CSRF

Description

The plugin is missing CSRF checks in multiple actions, which could allow attackers to make a logged in admin perform unwanted actions. In this case, it could lead to RCE via Command Injection

Proof of Concept

Affects Plugins

Plugin icon
imagemagick-engine
Fixed in 1.7.6

References

CVE
CVE-2022-2441
Exploitdb
51025
URL
https://packetstormsecurity.com/files/#168722/

Classification

Type
COMMAND INJECTION
OWASP top 10
A1: Injection
CWE
CWE-78
CVSS
8.8 (high)

Miscellaneous

Original Researcher
ABDO10
Verified
No
WPVDB ID
0589c52a-93e4-4cbd-9147-90073d74c88f

Timeline

Publicly Published
2022-10-18 (about 3 years ago)
Added
2022-10-19 (about 3 years ago)
Last Updated
2024-10-01 (about 1 year ago)

Other

Published
Title
Published
2025-10-27
Title
W3 Total Cache < 2.8.13 - Unauthenticated Command Injection
Published
2022-07-22
Title
VR Calendar < 2.3.2 - Unauthenticated Arbitrary Function Call
Published
2023-12-22
Title
Backup Migration < 1.4.0 - Authenticated (Admin+) OS Command Injection via url
Published
2024-06-24
Title
Insert or Embed Articulate Content into WordPress < 4.3000000024 - Author+ Arbitrary File Upload
Published
2024-05-09
Title
Unlimited Elements For Elementor (Free Widgets, Addons, Templates) < 1.5.103 - Admin+ Command Injection