PHP Everywhere code execution bugs impact thousands of WordPress websites

Critical remote code execution (RCE) vulnerabilities in a popular WordPress plugin have been made public. 

The RCE bugs impact PHP Everywhere, a utility for web developers to be able to use PHP code in pages, posts, the sidebar, or anywhere with a Gutenberg block – editor blocks in WordPress – on domains using the content management system (CMS). 

The plugin is used on over 30,000 websites. 

According to the WordFence Threat Intelligence team, the three vulnerabilities in PHP Everywhere all lead to remote code execution in versions of the software below 2.0.3.

The first vulnerability is tracked as CVE-2022-24663 and has been issued a CVSS severity score of 9.9. 

WordPress allows authenticated users to execute shortcodes via the parse-media-shortcode AJAX action. In this case, if users who are logged in – even if they have almost no permissions, such as if they are a subscriber – a crafted request parameter could be sent to execute arbitrary PHP, leading to full website takeover. 

CVE-2022-24664, also issued a severity score of 9.9, is the second RCE vulnerability disclosed by the security researchers. This vulnerability was found in how PHP Everywhere manages metaboxes – draggable edit boxes – and how the software permits any user

Read More: