Researchers at Wordfence have found critical vulnerabilities in a popular WordPress plugin called PHP Everywhere, affecting thousands of websites.

The remote code execution bug in one of the bugs found will let even a general subscriber inject malicious PHP code in a target site. Websites having this plugin and running on WordPress v2.0.3 and below are vulnerable, say researchers. Although, a patch update is available.

RCE Bug in a WordPress Plugin

In the routine of finding new bugs affecting WordPress sites, the Wordfence team has found three critical vulnerabilities in a popular plugin called PHP Everywhere. This is being used by over 30,000 WordPress websites in wild, say researchers.

Their findings include as below;

  • CVE-2022-24664 – RCE vulnerability exploitable by contributors via the plugin’s metabox. An attacker would create a post, add a PHP code metabox, and then preview it. (CVSS v3 score: 9.9)
  • CVE-2022-24663 – Remote code execution flaw exploitable by any subscriber by allowing them to send a request with the ‘shortcode’ parameter set to PHP Everywhere, and execute arbitrary PHP code on the site. (CVSS v3 score: 9.9)
  • CVE-2022-24665 – RCE flaw exploitable by contributors who have the ‘edit_posts’ capability and can add PHP Everywhere Gutenberg blocks. Default security setting on vulnerable plugin versions isn’t on ‘admin-only’ as it should be. (CVSS v3 score: 9.9)

It’s unusual that all the three bugs have very high severity scores (9.9/10), which are lurking around without knowing the developers. The third bug from the above list is even more critical, as it can be exploited by a subscriber.

Anyone registering as a general subscriber to a target site can have the privilege of executing malicious PHP code, leading to site takeover ultimately. Although the first two bugs need at least contributor access to the target site, they’re still significant.

Wordfence team has spotted these vulnerabilities on January 4, 2022, and informed the PHP Everywhere maker immediately. Though the author released patches for these bugs on January 10, 2022, it’s still the responsibility of the WordPress site owners to update the plugin from their end.

And to note, the current patch update (v.3.0.0) is only good for sites with Block Editors, leaving the ones with Classic editors vulnerable. As of now, it’s found that only half of the total 30,000 sites have updated this plugin.


Please enter your comment!
Please enter your name here