• Home
  • |
  • Blog
  • |
  • How To Fix Critical Remote Code Execution Vulnerabilities In PHP Everywhere WordPress Plugin
How to Fix Critical Remote Code Execution Vulnerabilities in PHP Everywhere WordPress Plugin

WordPress defence company Wordfence uncovered three critical remote code execution vulnerabilities in PHP Everywhere WordPress plugin. The successful exploitation of the vulnerabilities may allow attackers to any authenticated user of any level, including subscribers and customers, to execute code on the WordPress site that could lead to takeover the site. Let’s see more details about the vulnerabilities and how to fix them up.

PHP Everywhere WordPress Plugin:

This is a WordPress plugin allows website owners to insert and execute PHP code on pretty much anywhere in the site like pages, posts, sidebar, header, footer, and every place where you can place a Gutenberg block. It provide owners to insert PHP code on any part of their website.

Summary Of Critical Remote Code Execution Vulnerabilities In PHP Everywhere:

Wordfense disclosed total three remote code execution vulnerabilities on the plugin. All the three plugins are rated 9.9 on the CVSS rating system with critical severity. Let’s explore.

  1. CVE-2022-24663
  2. CVE-2022-24664
  3. CVE-2022-24665

Summary Of CVE-2022-24663:

By default, PHP Everywhere plugin allows execution of PHP Code Snippets via WordPress shortcodes. Unfortunately, this is extended to user with almost no permissions, such as a Subscriber or a Customer. This allowed any low privileged authenticated users to execute arbitrary PHP on the site just by sending a request with the shortcode parameter set to [php_everywhere]<arbitrary PHP>[/php_everywhere].

Associated CVE IDCVE-2022-24663
DescriptionRemote Code Execution by Subscriber+ users via shortcode
Associated ZDI ID
CVSS Score9.9 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Summary Of CVE-2022-24664:

By default, the PHP Everywhere plugin allows all users with the edit_posts capability to use the PHP Everywhere metabox. This allows Contributor-level users to carry out remote code execution on the site by creating a post, adding PHP code to the PHP Everywhere metabox, and then previewing the post. Although it has the same CVSS score, this vulnerability is considered less severe than the first one because it requires contributor-level access to exploit this vulnerability.

Associated CVE IDCVE-2022-24664
DescriptionRemote Code Execution by Contributor+ users via metabox
Associated ZDI ID
CVSS Score9.9 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

Summary Of CVE-2022-24665:

By default, PHP Everywhere plugin allows all users to use PHP Everywhere Gutenberg block with the edit_posts capability. This allows Contributor-level users to carry out remote code execution on the site by creating a post, adding the PHP everywhere block with code and previewing the post.  This vulnerability is considered less severe compare to the first one although it has the same CVSS score, because it requires contributor level access to exploit this vulnerability.

Associated CVE IDCVE-2022-24665
DescriptionRemote Code Execution by Contributor+ users via gutenberg block
Associated ZDI ID
CVSS Score9.9 Critical
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV)Network
Attack Complexity (AC)Low
Privilege Required (PR)Low
User Interaction (UI)None
ScopeChanged
Confidentiality (C)High
Integrity (I)High
availability (a)High

How To Fix Critical Remote Code Execution Vulnerabilities In PHP Everywhere WordPress Plugin?

These vulnerabilities affect the PHP plugin less than or equal to version 2.0.3. Plugin author has addressed these vulnerabilities in v3.0.0. We urge you to immediately upgrade to the version greater or equal to 3.0.0 to fix the RCE vulnerabilities.

Important note for classic WordPress editor users: The latest version, 3.0.0 doesn’t support the classic editor. The upgrade is only possible for Gutenberg users. Classic users are required to use alternate tools to have the feature.

We hope this post will help you know about How to Fix Critical Remote Code Execution Vulnerabilities in PHP Everywhere WordPress Plugin. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page in FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

About the author

Arun KL

To know more about me. Follow me on LinkedIn
Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.