Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2024-6486
CVE-2024-6486:
WordPress vulnerability analysis and mitigation
Overview
The ImageMagick Engine WordPress plugin before version 1.7.11 contains a critical OS Command Injection vulnerability (CVE-2024-6486). The vulnerability affects the plugin's handling of the "cli_path" parameter and can be exploited by authenticated users with administrator-level permissions (Wiz).
Technical details
The vulnerability exists in the ImageMagick Engine plugin's settings page, specifically in the "ImageMagick path" textbox configuration. An authenticated administrator can inject OS commands through the "cli_path" parameter, which is not properly sanitized before being processed by the server, potentially leading to remote code execution on the affected system (WPScan).
Impact
If successfully exploited, this vulnerability allows authenticated attackers with administrator-level permissions to execute arbitrary operating system commands on the server. This could lead to complete server compromise through remote code execution (Wiz).
Mitigation and workarounds
Users should immediately update the ImageMagick Engine plugin to version 1.7.11 or later, which contains the fix for this vulnerability (Wiz).
Additional resources
Source: This report was generated using AI
Related WordPress vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management