The FileOrganizer WordPress plugin before 1.1.9, Advanced File Manager WordPress plugin before 5.4.12, File Manager Pro WordPress plugin before 2.1.1, File Manager WordPress plugin before 8.0.4 do not properly escape a parameter before passing it to a shell command when processing image operations, allowing authenticated users to perform OS Command Injection. This requires the server to have the ImageMagick convert CLI available without either the PHP imagick or GD extensions.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-6382 is a critical OS command injection vulnerability affecting multiple WordPress file management plugins (FileOrganizer, Advanced File Manager, File Manager Pro, and File Manager) when processing image operations. The vulnerability stems from improper escaping of user-supplied parameters before passing them to shell commands via ImageMagick's convert CLI tool. This flaw is particularly dangerous because it requires only authenticated access—meaning any logged-in user can exploit it—and targets a common server configuration where ImageMagick is available without PHP's imagick or GD extensions. With a CVSS score of 9.1, this allows attackers to execute arbitrary OS commands with the privileges of the web server process, potentially leading to complete system compromise, data exfiltration, or lateral movement within the infrastructure.
While Casky's current skill set shows no direct mappings for this specific vulnerability pattern, a security practitioner using Claude AI with extended reasoning would detect exploitation attempts by monitoring for command injection attack patterns under MITRE ATT&CK categories such as T1059 (Command and Scripting Interpreter) and T1190 (Exploit Public-Facing Application). Detection would focus on identifying suspicious parameter values in image operation requests to affected plugins—particularly those containing shell metacharacters, command separators (semicolons, pipes, backticks), or variable substitution syntax. Practitioners should examine web server logs and WordPress audit trails for unusual image processing requests originating from authenticated users, coupled with unexpected system process spawning or shell command execution following those requests. Building custom detection rules around ImageMagick convert command invocations with untrusted input would be essential until these plugins are patched to version 1.1.9, 5.4.12, 2.1.1, or 8.0.4 respectively.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-6382. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation