ImageMagick Engine < 1.7.11 – Administrator+ OS Command Injection | CVE 2024-6486 | Plugin Vulnerabilities

Description

The ImageMagick Engine plugin for WordPress is vulnerable to OS Command Injection via the "cli_path" parameter. This allows authenticated attackers, with administrator-level permission to execute arbitrary OS commands on the server leading to remote code execution.

Proof of Concept

1. Go to ImageMagick Engine settings.
2. Insert a OS command payload (e.g.: /usr/bin;curl localhost -d name=`id`;) in the "ImageMagick path" textbox then save setting.

Affects Plugins

imagemagick-engine

Fixed in 1.7.11

References

CVE

Classification

Type

COMMAND INJECTION

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Chaiwat Thongyaem

Submitter

Chaiwat Thongyaem

Submitter website

https://www.datafarm.co.th/

Verified

Yes

WPVDB ID

a57c0c59-8b5c-4221-a9db-19f141650d9b

Timeline

Publicly Published

2024-06-26 (about 1 year ago)

Added

2024-09-20 (about 1 year ago)

Last Updated

2024-10-01 (about 1 year ago)

Other

Published

Title

Published

2023-10-05

Title

Newsletter Lite < 4.9.3 - Admin+ Command Injection

Published

2024-06-24

Title

Insert or Embed Articulate Content into WordPress < 4.3000000024 - Author+ Arbitrary File Upload

Published

2025-03-25

Title

Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid < 1.17.0 - Authenticated (Admin+) Command Injection

Published

2025-09-29

Title

Post By Email <= 1.0.4b - Unauthenticated Arbitrary File Upload via Email Attachments

Published

2024-11-26

Title

Total Upkeep < 1.16.7 - Authenticated (Administrator+) Remote Code Execution via Backup Settings