Table of Contents
  • Home
  • /
  • Blog
  • /
  • How To Fix Critical Remote Code Execution Vulnerabilities In PHP Everywhere WordPress Plugin
February 10, 2022
|
4m

How To Fix Critical Remote Code Execution Vulnerabilities In PHP Everywhere WordPress Plugin


How To Fix Critical Remote Code Execution Vulnerabilities In Php Everywhere Wordpress Plugin

WordPress defence company Wordfence uncovered three critical remote code execution vulnerabilities in PHP Everywhere WordPress plugin. The successful exploitation of the vulnerabilities may allow attackers to any authenticated user of any level, including subscribers and customers, to execute code on the WordPress site that could lead to takeover the site. Let’s see more details about the vulnerabilities and how to fix them up.

PHP Everywhere WordPress Plugin:

This is a WordPress plugin allows website owners to insert and execute PHP code on pretty much anywhere in the site like pages, posts, sidebar, header, footer, and every place where you can place a Gutenberg block. It provide owners to insert PHP code on any part of their website.

Summary Of Critical Remote Code Execution Vulnerabilities In PHP Everywhere:

Wordfense disclosed total three remote code execution vulnerabilities on the plugin. All the three plugins are rated 9.9 on the CVSS rating system with critical severity. Let’s explore.

  1. CVE-2022-24663

  2. CVE-2022-24664

  3. CVE-2022-24665

Summary Of CVE-2022-24663:

By default, PHP Everywhere plugin allows execution of PHP Code Snippets via WordPress shortcodes. Unfortunately, this is extended to user with almost no permissions, such as a Subscriber or a Customer. This allowed any low privileged authenticated users to execute arbitrary PHP on the site just by sending a request with the shortcode parameter set to [php_everywhere]<arbitrary PHP>[/php_everywhere].

Associated CVE IDCVE-2022-24663
DescriptionRemote Code Execution by Subscriber+ users via shortcode
Associated ZDI ID
CVSS Score9.9 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Summary Of CVE-2022-24664:

By default, the PHP Everywhere plugin allows all users with the edit_posts capability to use the PHP Everywhere metabox. This allows Contributor-level users to carry out remote code execution on the site by creating a post, adding PHP code to the PHP Everywhere metabox, and then previewing the post. Although it has the same CVSS score, this vulnerability is considered less severe than the first one because it requires contributor-level access to exploit this vulnerability.

Associated CVE IDCVE-2022-24664
DescriptionRemote Code Execution by Contributor+ users via metabox
Associated ZDI ID
CVSS Score9.9 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Summary Of CVE-2022-24665:

By default, PHP Everywhere plugin allows all users to use PHP Everywhere Gutenberg block with the edit_posts capability. This allows Contributor-level users to carry out remote code execution on the site by creating a post, adding the PHP everywhere block with code and previewing the post.  This vulnerability is considered less severe compare to the first one although it has the same CVSS score, because it requires contributor level access to exploit this vulnerability.

Associated CVE IDCVE-2022-24665
DescriptionRemote Code Execution by Contributor+ users via gutenberg block
Associated ZDI ID
CVSS Score9.9 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

How To Fix Critical Remote Code Execution Vulnerabilities In PHP Everywhere WordPress Plugin?

These vulnerabilities affect the PHP plugin less than or equal to version 2.0.3. Plugin author has addressed these vulnerabilities in v3.0.0. We urge you to immediately upgrade to the version greater or equal to 3.0.0 to fix the RCE vulnerabilities.

Important note for classic WordPress editor users: The latest version, 3.0.0 doesn’t support the classic editor. The upgrade is only possible for Gutenberg users. Classic users are required to use alternate tools to have the feature.

We hope this post would help you know about How to Fix Critical Remote Code Execution Vulnerabilities in PHP Everywhere WordPress Plugin. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page in FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

You may also like these articles:

Arun KL

Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.

Recently added

Vulnerabilities

View All

Learn More About Cyber Security Security & Technology

“Knowledge Arsenal: Empowering Your Security Journey through Continuous Learning”

Cybersecurity All-in-One For Dummies - 1st Edition

"Cybersecurity All-in-One For Dummies" offers a comprehensive guide to securing personal and business digital assets from cyber threats, with actionable insights from industry experts.

Tools

Featured

View All

Learn Something New with Free Email subscription

Subscribe

Subscribe