Researchers discovered that the ‘PHP Everywhere’ plugin for WordPress has three serious remote code execution (RCE) vulnerabilities. PHP Everywhere is a WordPress plugin used by more than 30,000 websites globally. It allows administrators to embed PHP code in pages, posts, sidebar, or any Gutenberg block to show dynamic content based on PHP expressions that have been evaluated.
Wordfence security experts uncovered three vulnerabilities that may be exploited by contributors or subscribers and impact all WordPress versions from 2.0.3 and below. Here’s a short overview of the weaknesses:
- CVE-2022-24663 – RCE flaw exploitable by any subscriber. It allows them to send a request with the ‘shortcode’ parameter set to PHP Everywhere and execute arbitrary PHP code on the site. (CVSS v3 score: 9.9)
- CVE-2022-24664 – RCE vulnerability which contributors can abuse through the plugin’s metabox. An attacker would create a post, add a PHP code metabox, then preview it. (CVSS v3 score: 9.9)
- CVE-2022-24665 – RCE flaw, which can be abused by contributors having the ‘edit_posts’ capability and can add PHP Everywhere Gutenberg blocks. Default security setting on vulnerable plugin versions isn’t on ‘admin-only’ as it should be. (CVSS v3 score: 9.9)
While the last two vulnerabilities are difficult to attack because they require contributor-level rights, the first vulnerability is much easier to exploit because it can be abused by just becoming a site subscriber. For instance, a logged-in customer on a website is referred to as a ‘subscriber,’ therefore simply enrolling on the target platform would be sufficient to get enough rights to execute malicious PHP code.
In all situations, executing arbitrary code on a website can result in a total site takeover, which is the worst-case scenario in website security.
On January 4, 2022, the Wordfence team found the vulnerabilities and notified the creator of PHP Everywhere. On January 10, 2022, the vendor published version 3.0.0 of a security upgrade, which necessitated a significant code overhaul and received a large version number boost. While the developers corrected the issue last month, it is usual for administrators to fail to update their WordPress site and plugins regularly.
According to download stats, only 15,000 out of 30,000 WordPress.org installs have upgraded the plugin after the problems were patched. As a result of the severity of these vulnerabilities, all PHP Everywhere users are strongly encouraged to upgrade to PHP Everywhere version 3.0.0, which is the most recent version available at this time.
If you’re using the Classic Editor on your site, you’ll need to remove it and find another way to host custom PHP code on the plugin’s components. That’s because version 3.0.0 supports only PHP snippets via the Block editor, and it’s doubtful that the author will try to restore Classic capability.