The PHP Everywhere plugin for WordPress is used by over 30,000 websites worldwide. Researchers have found three critical remote code execution (RCE) vulnerabilities in it.
PHP Everywhere plugin enables WordPress admin to insert PHP code in pages, posts, the sidebar, or any Gutenberg block in WordPress. It is used to display dynamic content based on evaluated PHP expressions.
PHP Everywhere Plugin Three RCE Flaws
According to researchers at Wordfence they have discovered three vulnerabilities, these can be exploited by contributors or subscribers, it affects all WordPress versions from 2.0.3 and below.
- CVE-2022-24663 – Remote code execution flaw can be exploited by any subscriber as it allows them to send a request with the ‘shortcode’ parameter set to PHP Everywhere, and execute arbitrary PHP code on the site. (CVSS v3 score: 9.9)
- CVE-2022-24664 – RCE vulnerability exploitable by contributors via the plugin’s metabox. Bad actors can create a post, add a PHP code metabox, and then preview it. (CVSS v3 score: 9.9)
- CVE-2022-24665 – RCE flaw exploitable by contributors who have the ‘edit_posts’ capability and can add PHP Everywhere Gutenberg blocks. As a result of this vulnerability, the default security setting on vulnerable plugin versions isn’t on ‘admin-only’ as it should be. (CVSS v3 score: 9.9)
The first vulnerability is prone to much broader exploitation as it can be exploited by just being a subscriber on the site. While the other two flaws cannot be easily exploited as it requires contributor-level permissions.
A logged-in Customer on a site is considered a ‘subscriber,’ leading to merely registering on the target platform would be enough to gain enough privileges for malicious PHP code execution.
In the case of all vulnerabilities, executing arbitrary code on a site can lead to the entire site being taken over, this can turn out to be the worst possible scenario in website security.
How to Fix PHP Everywhere Plugin Vulnerability
Wordfence discovered the vulnerabilities on Jan 4, 2022, and informed the authors of the plugins. The security update was released on Jan 10, 2022, for version 3.0.0 by the vendor, which took a substantial bump as it required a lot of code writing.
The developers have fixed the update last month, though it is not common for admins not to regularly update their WordPress site and plugins. Download stats on WordPress.org suggest only 15,000 installs out of 30,000 have updated the plugin since the bugs were fixed.
All PHP Everywhere are strongly advised to upgrade to PHP Everywhere version 3.0.0, which happens to be the latest version available right now.
For users using Classic Editor, you will be required to uninstall the plugin and seek another solution for hosting custom PHP code on its components. Since the new 3.0.0 version of the PHP Everywhere plugin only supports PHP snippets via the Block editor. The developer of the plugin may be working on fixing this issue and restoring functionality for Classic Editor.
CISA, FBI, NSA Issue Advisory on Severe Increase in Ransomware Attacks
New Marlin Backdoor used by Iranian Hackers Using in ‘Out to Sea’ Espionage Campaign
Russian Hackers Used COVID-19 Lures to Target European Diplomats