WordPress Plugin Vulnerabilities

ImageMagick Engine < 1.7.6 - PHAR Deserialization via CSRF

Description

The plugin does not validate the cli_path parameter and does not have CSRF check, which could allow attackers to make a logged in admin call a file with a PHAR wrapper via a CSRF attack. This could lead to PHAR deserialization when a suitable gadget chain is present on the blog and the attacker managed to upload a file with the payload

Affects Plugins

Plugin icon
imagemagick-engine
Fixed in 1.7.6

References

CVE
CVE-2022-3568

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Rasoul Jahanshahi
Verified
No
WPVDB ID
082d978e-65cd-4f30-a460-c939df62535c

Timeline

Publicly Published
2023-02-09 (about 3 years ago)
Added
2023-02-10 (about 3 years ago)
Last Updated
2023-02-10 (about 3 years ago)

Other

Published
Title
Published
2025-10-27
Title
Media Library File Download <= 1.4 - Cross-Site Request Forgery
Published
2020-04-02
Title
Woocommerce Subscriptions < 3.0.3 - CSRF to Cancel/Re-Activate Subscription
Published
2025-05-07
Title
LessButtons Social Sharing and Statistics <= 1.6.1 - Cross-Site Request Forgery
Published
2025-10-10
Title
GSheetConnector For Gravity Forms < 1.3.24 - Cross-Site Request Forgery to Arbitrary Plugin Activation/Deactivation
Published
2014-08-01
Title
Login With Ajax - Cross-Site Request Forgery