How To Fix Critical Remote Code Execution Vulnerabilities In PHP Everywhere WordPress Plugin

WordPress defence company Wordfence uncovered three critical remote code execution vulnerabilities in PHP Everywhere WordPress plugin. The successful exploitation of the vulnerabilities may allow attackers to any authenticated user of any level, including subscribers and customers, to execute code on the WordPress site that could lead to takeover the site. Let’s see more details about the vulnerabilities and how to fix them up.

PHP Everywhere WordPress Plugin:

This is a WordPress plugin allows website owners to insert and execute PHP code on pretty much anywhere in the site like pages, posts, sidebar, header, footer, and every place where you can place a Gutenberg block. It provide owners to insert PHP code on any part of their website.

Summary Of Critical Remote Code Execution Vulnerabilities In PHP Everywhere:

Wordfense disclosed total three remote code execution vulnerabilities on the plugin. All the three plugins are rated 9.9 on the CVSS rating system with critical severity. Let’s explore.

Summary Of CVE-2022-24663:

By default, PHP Everywhere plugin allows execution of PHP Code Snippets via WordPress shortcodes. Unfortunately, this is extended to user with almost no permissions, such as a Subscriber or a Customer. This allowed any low privileged authenticated users to execute arbitrary PHP on the site just by sending a request with the shortcode parameter set to [php_everywhere]<arbitrary PHP>[/php_everywhere].

Summary Of CVE-2022-24664:

By default, the PHP Everywhere plugin allows all users with the edit_posts capability to use the PHP Everywhere metabox. This allows Contributor-level users to carry out remote code execution on the site by creating a post, adding PHP code to the PHP Everywhere metabox, and then previewing the post. Although it has the same CVSS score, this vulnerability is considered less severe than the first one because it requires contributor-level access to exploit this vulnerability.

Summary Of CVE-2022-24665:

By default, PHP Everywhere plugin allows all users to use PHP Everywhere Gutenberg block with the edit_posts capability. This allows Contributor-level users to carry out remote code execution on the site by creating a post, adding the PHP everywhere block with code and previewing the post.  This vulnerability is considered less severe compare to the first one although it has the same CVSS score, because it requires contributor level access to exploit this vulnerability.

How To Fix Critical Remote Code Execution Vulnerabilities In PHP Everywhere WordPress Plugin?

These vulnerabilities affect the PHP plugin less than or equal to version 2.0.3. Plugin author has addressed these vulnerabilities in v3.0.0. We urge you to immediately upgrade to the version greater or equal to 3.0.0 to fix the RCE vulnerabilities.

Important note for classic WordPress editor users: The latest version, 3.0.0 doesn’t support the classic editor. The upgrade is only possible for Gutenberg users. Classic users are required to use alternate tools to have the feature.

We hope this post would help you know about How to Fix Critical Remote Code Execution Vulnerabilities in PHP Everywhere WordPress Plugin. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page in Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this. 

You may also like these articles: