Three critical Remote Code Execution (RCE) weaknesses were discovered by cybersecurity experts in the ‘PHP Everywhere’ WordPress plugin, which is used by more than 30,000 sites all over the world.
What Is PHP Everywhere?
PHP Everywhere is a WordPress plugin that is intended to let site owners insert PHP code in pages, posts, the sidebar, or any Gutenberg block and use it to show dynamic content based on PHP expressions that have been evaluated.
The three Remote Code Execution vulnerabilities in PHP Everywhere were discovered by the Wordfence Threat Intelligence team and, according to them, one of the flaws enabled any authenticated user of any level, including subscribers and customers, to execute code on a website with the plugin installed.
The exploitation of the vulnerabilities affects all WordPress versions from 2.0.3 and below, but let’s take a closer look at them.
The first vulnerability is identified as CVE-2022-24663 and has a CVSS severity score of 9.9. When exploited, this flaw allows any subscriber to send a request with the shortcode parameter set to PHP Everywhere and execute arbitrary PHP code on the website. This could lead to complete website takeover. The second RCE flaw discovered is CVE-2022-24664, which has