Three critical remote code execution (RCE) vulnerabilities in the PHP Everywhere plugin could put more than 30,000 WordPress websites worldwide at risk. This plugin allows website administrators to insert PHP code into their pages, displaying it as dynamic content based on PHP expressions.
The flaws were discovered by Wordfence security analysts and, according to the report, could be exploited by contributors or subscribers to the affected website, impacting all WordPress versions prior to 2.0.3.
Tracked as CVE-2022-24663, the first of these RCE flaws would allow the attacker to send a request with the ‘shortcode’ parameter set in PHP Everywhere and execute arbitrary PHP code on the affected site. Moreover, CVE-2022-24664 resides in the metabox of the affected plugin and CVE-2022-24665 would allow attackers to add PHP Everywhere Gutenberg blocks. All reported flaws received a 9.9/10 score according to the Common Vulnerability Scoring System (CVSS).
Experts report that the last two flaws are not easy to exploit, as they first require attackers to obtain contributor-level permissions on the compromised website, while CVE-2022-24663 requires a more trivial attack and only requires access as a subscriber to a WordPress website.
The Wordfence team discovered the flaws in early 2022 and informed the developers of their findings. PHP Everywhere released a security update on January 10 along with version 3.0.0, which features considerable code rewriting. If your website is using Classic Editor, you will need to uninstall the plugin and install the corrected version to completely fix the error.
The researchers add that there is still a lot of work to be done, as according to WordPress statistics, only 15,000 of the plugin’s 30,000 active installations have been updated since the flaws were addressed.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.