Thousands of WordPress Sites Using PHP Everywhere Plugin Are at Risk

A fairly popular WordPress plugin is found to have three critical vulnerabilities, which if exploited by a threat actor can let for site takeover.

The concerned plugin is PHP Everywhere, which is available on over 30,000 WordPress websites today. Although the plugin maker released a patch, only half of the total WordPress admins have updated it to date. WordPress sites with Classic editors are vulnerable, even after patching.

Security Bug in WordPress Plugin

WordPress plugins surface with bugs every now and then, it is common. But how well the authors of those infected plugins are responding, and the site admins clearing it out should be noted. This week, we see a fairly popular plugin for WordPress sites – PHP Everywhere – affecting thousands of websites in wild.

Thousands of WordPress Sites Using PHP Everywhere Plugin Are at Risk

PHP Everywhere is an addon to let the site admins inject PHP code anywhere on the site. Be it on pages, posts, sidebar, or the Gutenberg block, PHP Everywhere will help the admins to display dynamic content on certain parts of the website.

But, as noted by the Wordfence researchers, the PHP Everywhere plugin is having three critical vulnerabilities as below;

  • CVE-2022-24665 – RCE flaw exploitable by contributors who have the ‘edit_posts’ capability and can add PHP Everywhere Gutenberg blocks. Default security setting on vulnerable plugin versions isn’t on ‘admin-only’ as it should be. (CVSS v3 score: 9.9)
  • CVE-2022-24663 – Remote code execution flaw exploitable by any subscriber by allowing them to send a request with the ‘shortcode’ parameter set to PHP Everywhere, and execute arbitrary PHP code on the site. (CVSS v3 score: 9.9)
  • CVE-2022-24664 – RCE vulnerability exploitable by contributors via the plugin’s metabox. An attacker would create a post, add a PHP code metabox, and then preview it. (CVSS v3 score: 9.9)

All WordPress sites running on v2.0.3 or older and using this plugin are vulnerable. Out of the above three, the first is more critical as all it needs is just subscriber access. Anyone registering on the target site can remotely execute a malicious PHP code to take over the site ultimately.

A patch for these bugs is available in the form of PHP Everywhere v.3.0.0, but it’s only good for the sites using Block Editors. Classic editors’ counterparts are still vulnerable, so the admins need to uninstall the PHP Everywhere plugin if they wish to continue their blogging securely.

Other Trending News:-  News


Please enter your comment!
Please enter your name here