CVE-2022-3568
📋 TL;DR
The ImageMagick Engine WordPress plugin up to version 1.7.5 contains a deserialization vulnerability in the 'cli_path' parameter. Unauthenticated attackers can exploit this via PHAR wrappers to execute arbitrary PHP objects if they can upload a malicious file and trick an administrator into clicking a link. This affects WordPress sites using vulnerable versions of the ImageMagick Engine plugin.
💻 Affected Systems
- WordPress ImageMagick Engine plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete site compromise, data theft, malware deployment, or site defacement.
Likely Case
Limited code execution or file manipulation due to requirement for administrator interaction and file upload capability.
If Mitigated
No impact if plugin is patched or disabled, or if file uploads are restricted and administrators are trained.
🎯 Exploit Status
Exploitation requires multiple steps: file upload, social engineering to trigger deserialization, and presence of POP chain.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.6
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'ImageMagick Engine' and update to version 1.7.6 or later. 4. Alternatively, deactivate and delete the plugin if not needed.
🔧 Temporary Workarounds
Disable plugin
allDeactivate the ImageMagick Engine plugin if not essential for site functionality.
Restrict file uploads
allImplement strict file upload controls to prevent malicious file uploads.
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block requests containing PHAR wrappers or suspicious deserialization patterns.
- Educate administrators about phishing risks and implement strict access controls for file upload functionality.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for ImageMagick Engine version. If version is 1.7.5 or lower, you are vulnerable.Check Version:
No direct command; check via WordPress admin interface or examine wp-content/plugins/imagemagick-engine/imagemagick-engine.php header.Verify Fix Applied:
After updating, verify the plugin version shows 1.7.6 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file uploads with .phar extensions
- Requests containing 'phar://' in parameters
- Unexpected PHP object deserialization errors
Network Indicators:
- HTTP requests with 'cli_path' parameter containing PHAR wrappers
SIEM Query:
source="web_logs" AND (uri_path="/wp-admin/admin-ajax.php" OR uri_path LIKE "%/wp-content/plugins/imagemagick-engine/%") AND (query_string LIKE "%cli_path=%phar://%" OR user_agent LIKE "%exploit%")🔗 References
- https://github.com/orangelabweb/imagemagick-engine/blob/1.7.4/imagemagick-engine.php#L529
- https://github.com/orangelabweb/imagemagick-engine/blob/v.1.7.2/imagemagick-engine.php#L529
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2801283%40imagemagick-engine&new=2801283%40imagemagick-engine&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4a2ca2f0-1d4a-4614-86ba-a46e765f4a9f
- https://github.com/orangelabweb/imagemagick-engine/blob/1.7.4/imagemagick-engine.php#L529
- https://github.com/orangelabweb/imagemagick-engine/blob/v.1.7.2/imagemagick-engine.php#L529
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2801283%40imagemagick-engine&new=2801283%40imagemagick-engine&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/4a2ca2f0-1d4a-4614-86ba-a46e765f4a9f
