PHP Everywhere WordPress Plugin Remote Code Execution Alert
PHP Everywhere is an open-source WordPress plugin, that enables PHP code everywhere in your WordPress installation. Using this plugin you can use PHP in Pages, Posts, Sidebar. Everywhere you can place a Gutenberg block. The plugin also supports different user restrictions and multiple PHP instances. The PHP Everywhere plug-in was recently disclosed to have three serious security vulnerabilities. The plug-in has been used by more than 30,000 websites around the world. Attackers can exploit the vulnerability on the affected websites to execute arbitrary code.
All three vulnerabilities are rated 9.9 out of 10 on the CVSS rating system and affect versions 2.0.3 and below, with the following details:
- CVE-2022-24663 – Remote Code Execution by Subscriber+ users via shortcode
- CVE-2022-24664 – Remote Code Execution by Contributor+ users via metabox
- CVE-2022-24665 – Remote Code Execution by Contributor+ users via Gutenberg block
If a website uses the vulnerable plugin, hackers will be able to exploit them and execute malicious PHP code, or even achieve a complete takeover of the website. WordPress security firm Wordfence disclosed the vulnerabilities to Alexander Fuchs, the plugin’s author, on January 4. Alexander Fuchs released version 3.0.0 on January 12, which completely removed the vulnerable code.
According to the PHP Everywhere description, “The update to version 3.0.0 of this plugin is a breaking change that removes the [php_everywhere] shortcode and widget. Run the upgrade wizard from the plugin’s settings page to migrate your old code to Gutenberg blocks.”
According to WordPress statistics, only 15,000 websites have updated the plugin since the bug was fixed.
