30,000 WordPress Websites Are at Risk Due to RCE Bugs in PHP Everywhere
Here’s What You Need to Know About the Recently Discovered Vulnerabilities and How to Stay Protected.
Three critical Remote Code Execution (RCE) weaknesses were discovered by cybersecurity experts in the ‘PHP Everywhere’ WordPress plugin, which is used by more than 30,000 sites all over the world.
What Is PHP Everywhere?
PHP Everywhere is a WordPress plugin that is intended to let site owners insert PHP code in pages, posts, the sidebar, or any Gutenberg block and use it to show dynamic content based on PHP expressions that have been evaluated.
The three Remote Code Execution vulnerabilities in PHP Everywhere were discovered by the Wordfence Threat Intelligence team and, according to them, one of the flaws enabled any authenticated user of any level, including subscribers and customers, to execute code on a website with the plugin installed.
The exploitation of the vulnerabilities affects all WordPress versions from 2.0.3 and below, but let’s take a closer look at them.
- The first vulnerability is identified as CVE-2022-24663 and has a CVSS severity score of 9.9. When exploited, this flaw allows any subscriber to send a request with the shortcode parameter set to PHP Everywhere and execute arbitrary PHP code on the website. This could lead to complete website takeover.
- The second RCE flaw discovered is CVE-2022-24664, which has a severity score of 9.9. Untrusted Contributor-level users could use the PHP Everywhere metabox to execute code on a website by creating a post, inserting PHP code into the PHP Everywhere metabox, and previewing the post.
While this vulnerability has the same CVSS score as the first one, the researchers explain that it is less severe because it needs contributor-level authorizations, which require more trust and are more difficult to obtain than subscriber-level permissions.
- The third flaw is identified as CVE-2022-24665, and it has been assigned a severity rating of 9.9. PHP Everywhere Gutenberg blocks are available to all users with edit posts capabilities, and threat actors could use them to interfere with a website’s functionality by executing arbitrary PHP code.
– January 4, 2022 – We release a firewall rule available to Wordfence Premium, Wordfence Care, and Wordfence Response customers. We begin the disclosure process with the plugin author and disclose to the WordPress plugin repository. The plugin author responds and we send over full disclosure.
– January 10, 2022 – A Patched version, 3.0.0, is released.
– February 3, 2022 – The firewall rule becomes available to free Wordfence users.