RCE Vulnerabilities in PHP Everywhere Plugin Threaten Thousands of WordPress Sites

WordFence has discovered three dangerous RCE vulnerabilities in the popular PHP Everywhere plugin, which is used by 30,000 WordPress sites. All bugs were rated 9.9 out of 10 on the CVSS vulnerability rating scale and can be used to remotely execute arbitrary code.

Problems found by specialists can be exploited by both contributors and simple subscribers, and bugs are dangerous for all versions of WordPress from 2.0.3 and below.

The first vulnerability is identified as CVE-2022-24663 and is related to the fact that WordPress allows authenticated users to use shortcodes using AJAX parse-media-shortcode. That is, if the user is logged in (even if he has low privileges as a regular subscriber), the request sent by him with the shortcode parameter can be used to execute arbitrary PHP code, which can eventually lead to a full resource grab.

The second issue, CVE-2022-24664, is related to how PHP Everywhere manages metaboxes and allows any user with the edit_posts ability to use these functions.

The third vulnerability has received the identifier CVE-2022-24665 and is based on the fact that users with edit_posts rights can use Gutenberg blocks in PHP Everywhere. That is, an attacker gets the opportunity to interfere with the operation of the site and execute arbitrary code. This functionality can be restricted with the admin-only option, although versions prior to 2.0.3 do not have this implemented by default.

The developer of PHP Everywhere released a patched version of the plugin back on January 10, 2022, giving it the number 3.0.0. Unfortunately, according to official statistics, so far only about 15,000 out of 30,000 sites have updated the plugin to a secure version.

Let me remind you that we also wrote that OptinMonster WordPress plugin lets to inject code into vulnerable sites, and also that Due to vulnerability in File Manager plugin attacked millions of WordPress sites.