Table of Contents
February 10, 2022
|4m
How To Fix Critical Remote Code Execution Vulnerabilities In PHP Everywhere WordPress Plugin
WordPress defence company Wordfence uncovered three critical remote code execution vulnerabilities in PHP Everywhere WordPress plugin. The successful exploitation of the vulnerabilities may allow attackers to any authenticated user of any level, including subscribers and customers, to execute code on the WordPress site that could lead to takeover the site. Let’s see more details about the vulnerabilities and how to fix them up.
PHP Everywhere WordPress Plugin:
This is a WordPress plugin allows website owners to insert and execute PHP code on pretty much anywhere in the site like pages, posts, sidebar, header, footer, and every place where you can place a Gutenberg block. It provide owners to insert PHP code on any part of their website.
Summary Of Critical Remote Code Execution Vulnerabilities In PHP Everywhere:
Wordfense disclosed total three remote code execution vulnerabilities on the plugin. All the three plugins are rated 9.9 on the CVSS rating system with critical severity. Let’s explore.
CVE-2022-24663
CVE-2022-24664
CVE-2022-24665
Summary Of CVE-2022-24663:
By default, PHP Everywhere plugin allows execution of PHP Code Snippets via WordPress shortcodes. Unfortunately, this is extended to user with almost no permissions, such as a Subscriber or a Customer. This allowed any low privileged authenticated users to execute arbitrary PHP on the site just by sending a request with the shortcode parameter set to [php_everywhere]<arbitrary PHP>[/php_everywhere].
| Associated CVE ID | CVE-2022-24663 |
| Description | Remote Code Execution by Subscriber+ users via shortcode |
| Associated ZDI ID | – |
| CVSS Score | 9.9 Critical |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | Low |
| User Interaction (UI) | None |
| Scope | Changed |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
Summary Of CVE-2022-24664:
By default, the PHP Everywhere plugin allows all users with the edit_posts capability to use the PHP Everywhere metabox. This allows Contributor-level users to carry out remote code execution on the site by creating a post, adding PHP code to the PHP Everywhere metabox, and then previewing the post. Although it has the same CVSS score, this vulnerability is considered less severe than the first one because it requires contributor-level access to exploit this vulnerability.
| Associated CVE ID | CVE-2022-24664 |
| Description | Remote Code Execution by Contributor+ users via metabox |
| Associated ZDI ID | – |
| CVSS Score | 9.9 Critical |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | Low |
| User Interaction (UI) | None |
| Scope | Changed |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
Summary Of CVE-2022-24665:
By default, PHP Everywhere plugin allows all users to use PHP Everywhere Gutenberg block with the edit_posts capability. This allows Contributor-level users to carry out remote code execution on the site by creating a post, adding the PHP everywhere block with code and previewing the post. This vulnerability is considered less severe compare to the first one although it has the same CVSS score, because it requires contributor level access to exploit this vulnerability.
| Associated CVE ID | CVE-2022-24665 |
| Description | Remote Code Execution by Contributor+ users via gutenberg block |
| Associated ZDI ID | – |
| CVSS Score | 9.9 Critical |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | Low |
| User Interaction (UI) | None |
| Scope | Changed |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
How To Fix Critical Remote Code Execution Vulnerabilities In PHP Everywhere WordPress Plugin?
These vulnerabilities affect the PHP plugin less than or equal to version 2.0.3. Plugin author has addressed these vulnerabilities in v3.0.0. We urge you to immediately upgrade to the version greater or equal to 3.0.0 to fix the RCE vulnerabilities.
Important note for classic WordPress editor users: The latest version, 3.0.0 doesn’t support the classic editor. The upgrade is only possible for Gutenberg users. Classic users are required to use alternate tools to have the feature.
We hope this post would help you know about How to Fix Critical Remote Code Execution Vulnerabilities in PHP Everywhere WordPress Plugin. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page in Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
Detailed Procedure To Set Up Your Own WordPress Hosting Platform On Ubuntu Or Debian Platform!
How To Fix CVE-2019-11043, A PHP Vulnerability In QNAP NAS Devices That Lead To RCE Attack
The Simplest Way To Install WordPress On Linux, Windows, And Cloud Servers!
What Is Remote Code Execution? How To Prevent Remote Code Execution?
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
