CVE-2022-2441
📋 TL;DR
The ImageMagick Engine WordPress plugin up to version 1.7.5 contains a Cross-Site Request Forgery (CSRF) vulnerability in the 'cli_path' parameter that allows unauthenticated attackers to execute arbitrary commands on the server. Attackers can trick administrators into clicking malicious links, leading to remote code execution and potential server compromise. This affects all WordPress sites using vulnerable versions of the ImageMagick Engine plugin.
💻 Affected Systems
- WordPress ImageMagick Engine plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise with attacker gaining persistent backdoor access, data exfiltration, and lateral movement to other systems.
Likely Case
Website defacement, malware injection, credential theft, and unauthorized file creation/modification leading to backdoor installation.
If Mitigated
Limited impact with proper CSRF protections and file permission restrictions in place.
🎯 Exploit Status
Exploit requires social engineering to trick an administrator into clicking a malicious link. Public exploit code is available on Exploit-DB.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.6 and later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'ImageMagick Engine' and check if version is 1.7.5 or lower. 4. Click 'Update Now' if available, or manually update to version 1.7.6+. 5. Verify the plugin is active and functioning correctly.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the ImageMagick Engine plugin until patched
wp plugin deactivate imagemagick-engine
Implement CSRF protection
allAdd CSRF tokens to all admin forms and validate them
🧯 If You Can't Patch
- Remove the ImageMagick Engine plugin completely and use alternative image processing solutions
- Implement strict file permissions and disable command execution capabilities for the web server user
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for ImageMagick Engine version. If version is 1.7.5 or lower, you are vulnerable.Check Version:
wp plugin get imagemagick-engine --field=versionVerify Fix Applied:
Verify the plugin version is 1.7.6 or higher in WordPress admin panel. Test image processing functionality to ensure the plugin works correctly.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin.php with 'cli_path' parameter
- Unexpected command execution in system logs from web server user
- File creation/modification in WordPress directories by web server process
Network Indicators:
- HTTP requests containing 'cli_path' parameter with suspicious values
- Outbound connections from web server to unexpected destinations
SIEM Query:
source="web_server_logs" AND (uri_path="/wp-admin/admin.php" AND query_string="*cli_path=*")🔗 References
- https://github.com/orangelabweb/imagemagick-engine/blob/1.7.4/imagemagick-engine.php#L529
- https://github.com/orangelabweb/imagemagick-engine/blob/v.1.7.2/imagemagick-engine.php#L529
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2801283%40imagemagick-engine%2Ftrunk&old=2732430%40imagemagick-engine%2Ftrunk&sfp_email=&sfph_mail=
- https://www.exploit-db.com/exploits/51025
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b1f17a83-1df0-44fe-bd86-243cff6ec91b?source=cve
- https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-2441
- https://github.com/orangelabweb/imagemagick-engine/blob/1.7.4/imagemagick-engine.php#L529
- https://github.com/orangelabweb/imagemagick-engine/blob/v.1.7.2/imagemagick-engine.php#L529
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2801283%40imagemagick-engine%2Ftrunk&old=2732430%40imagemagick-engine%2Ftrunk&sfp_email=&sfph_mail=
- https://www.exploit-db.com/exploits/51025
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b1f17a83-1df0-44fe-bd86-243cff6ec91b?source=cve
- https://www.wordfence.com/vulnerability-advisories-continued/#CVE-2022-2441
