Critical RCE flaws in PHP Everywhere WordPress plugin affect thousands of sites

Pierluigi Paganini February 10, 2022

WordPress plugin PHP Everywhere is affected by three critical issues that can be exploited to execute arbitrary code on affected systems.

Wordfence experts found three critical remote code execution vulnerabilities in the PHP Everywhere WordPress plugin, all the issues have received a CVSS score of 9.9.

The plugin that allows WordPress admins to insert PHP code in pages, posts, the sidebar, or any Gutenberg block, to display dynamic content based on evaluated PHP expressions.

“On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin installed.” reads the advisory published by Wordfence. “As the vulnerabilities were of critical severity, we contacted the WordPress plugin repository with our disclosure in addition to initiating outreach to the plugin author.”

The plugin is used by over 30,000 websites worldwide, an attacker could exploit the three flaws to execute arbitrary code on affected systems.

Below is the list of the three vulnerabilities that affect versions 2.0.3 and below:

  • CVE-2022-24663 – Remote code execution vulnerability that could be exploited by any subscriber  to send a request with the ‘shortcode’ parameter set to PHP Everywhere, and execute arbitrary PHP code on the site.
  • CVE-2022-24664 – Remote code execution vulnerability that can be exploited by contributors via the plugin’s metabox. An attacker would create a post, add a PHP code metabox, and then preview it.
  • CVE-2022-24665 – Remote code execution vulnerability that can be exploitable by contributors who have the ‘edit_posts’ capability to use the Gutenberg block. “While it was possible to set this to admin-only, this was not set by default due to versions <= 2.0.3 not being able to add capability checks without disabling the Gutenberg Block editor”

The development team addressed the flaw in January with the release of version 3.0.0.

Experts pointed out that version 3.0.0 only supports PHP snippets via the Block editor, this means that users who are still relying on the Classic Editor have to uninstall the plugin and chose another solution for using custom PHP code.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment