RCE Vulnerabilities in PHP Everywhere Plugin Threaten Thousands of WordPress Sites

RCE Vulnerabilities in PHP Everywhere
Written by Emma Davis

WordFence has discovered three dangerous RCE vulnerabilities in the popular PHP Everywhere plugin, which is used by 30,000 WordPress sites. All bugs were rated 9.9 out of 10 on the CVSS vulnerability rating scale and can be used to remotely execute arbitrary code.

As the name suggests, PHP Everywhere makes it easy for WordPress site administrators to inject PHP code into any page, sidebar, post, or any Gutenberg block.

Problems found by specialists can be exploited by both contributors and simple subscribers, and bugs are dangerous for all versions of WordPress from 2.0.3 and below.

The first vulnerability is identified as CVE-2022-24663 and is related to the fact that WordPress allows authenticated users to use shortcodes using AJAX parse-media-shortcode. That is, if the user is logged in (even if he has low privileges as a regular subscriber), the request sent by him with the shortcode parameter can be used to execute arbitrary PHP code, which can eventually lead to a full resource grab.

The second issue, CVE-2022-24664, is related to how PHP Everywhere manages metaboxes and allows any user with the edit_posts ability to use these functions.

Untrusted contributor-level users can use the PHP Everywhere metabox to execute arbitrary code on the site by creating a post, adding PHP code to the PHP Everywhere metabox, and then previewing that post. While this vulnerability has the same CVSS score as the shortcode vulnerability, it is less severe because it requires contributor privileges.experts say.

The third vulnerability has received the identifier CVE-2022-24665 and is based on the fact that users with edit_posts rights can use Gutenberg blocks in PHP Everywhere. That is, an attacker gets the opportunity to interfere with the operation of the site and execute arbitrary code. This functionality can be restricted with the admin-only option, although versions prior to 2.0.3 do not have this implemented by default.

The developer of PHP Everywhere released a patched version of the plugin back on January 10, 2022, giving it the number 3.0.0. Unfortunately, according to official statistics, so far only about 15,000 out of 30,000 sites have updated the plugin to a secure version.

Let me remind you that we also wrote that OptinMonster WordPress plugin lets to inject code into vulnerable sites, and also that Due to vulnerability in File Manager plugin attacked millions of WordPress sites.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply