CVE-2022-3568 in ImageMagick Engine Plugin
Summary
by MITRE • 02/10/2023
The ImageMagick Engine plugin for WordPress is vulnerable to deserialization of untrusted input via the 'cli_path' parameter in versions up to, and including 1.7.5. This makes it possible for unauthenticated users to call files using a PHAR wrapper, granted they can trick a site administrator into performing an action such as clicking on a link, that will deserialize and call arbitrary PHP Objects that can be used to perform a variety of malicious actions granted a POP chain is also present. It also requires that the attacker is successful in uploading a file with the serialized payload.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 04/09/2026
The vulnerability identified as CVE-2022-3568 affects the ImageMagick Engine plugin for WordPress, specifically targeting versions up to and including 1.7.5. This represents a critical security flaw that exploits the improper handling of user-supplied data during the deserialization process. The vulnerability manifests through the 'cli_path' parameter which accepts untrusted input without adequate sanitization or validation mechanisms. The flaw falls under CWE-502 which specifically addresses deserialization of untrusted data, making it a prime target for exploitation by attackers seeking to execute arbitrary code on affected systems.
The technical implementation of this vulnerability enables unauthenticated attackers to leverage a PHAR (PHP Archive) wrapper to execute malicious code on vulnerable WordPress installations. The exploitation process requires a multi-step approach where attackers must first successfully upload a file containing serialized PHP objects that can be triggered during the deserialization process. This attack vector is particularly dangerous because it can be initiated without authentication, though it does require social engineering elements to convince administrators to perform actions such as clicking malicious links. The vulnerability essentially creates a path for attackers to execute arbitrary PHP objects that can be chained together to perform various malicious operations including privilege escalation, data exfiltration, or system compromise.
The operational impact of CVE-2022-3568 extends beyond simple code execution as it represents a complete bypass of traditional authentication mechanisms within the WordPress ecosystem. Attackers can leverage this vulnerability to gain unauthorized access to sensitive system information, manipulate website content, or establish persistent backdoors on compromised sites. The requirement for a successful file upload adds an additional layer of complexity to the attack but also makes it more feasible since many WordPress installations have insufficient file upload restrictions or misconfigured security measures. This vulnerability directly maps to ATT&CK technique T1059.007 which covers the execution of code through PHP scripts, and T1566 which addresses social engineering attacks that can be used to trick administrators into performing malicious actions.
Mitigation strategies for this vulnerability require immediate patching of the affected ImageMagick Engine plugin to versions that properly sanitize input parameters and implement secure deserialization practices. Organizations should also implement network-level restrictions to prevent unauthorized file uploads and establish monitoring procedures to detect suspicious file upload activities. The fix should include proper validation of the 'cli_path' parameter to ensure that only trusted, expected values are accepted, and that any user-supplied input undergoes thorough sanitization before processing. Additionally, implementing proper access controls and limiting administrative privileges can reduce the potential impact if an attacker successfully exploits this vulnerability. Security teams should also consider implementing web application firewalls and intrusion detection systems to monitor for exploitation attempts targeting this specific vulnerability pattern.