Researchers at Wordfence have found critical vulnerabilities in a popular WordPress plugin called PHP Everywhere, affecting thousands of websites.
RCE Bug in a WordPress Plugin
In the routine of finding new bugs affecting WordPress sites, the Wordfence team has found three critical vulnerabilities in a popular plugin called PHP Everywhere. This is being used by over 30,000 WordPress websites in wild, say researchers.
Their findings include as below;
- CVE-2022-24664 – RCE vulnerability exploitable by contributors via the plugin’s metabox. An attacker would create a post, add a PHP code metabox, and then preview it. (CVSS v3 score: 9.9)
- CVE-2022-24663 – Remote code execution flaw exploitable by any subscriber by allowing them to send a request with the ‘shortcode’ parameter set to PHP Everywhere, and execute arbitrary PHP code on the site. (CVSS v3 score: 9.9)
- CVE-2022-24665 – RCE flaw exploitable by contributors who have the ‘edit_posts’ capability and can add PHP Everywhere Gutenberg blocks. Default security setting on vulnerable plugin versions isn’t on ‘admin-only’ as it should be. (CVSS v3 score: 9.9)
Wordfence team has spotted these vulnerabilities on January 4, 2022, and informed the PHP Everywhere maker immediately. Though the author released patches for these bugs on January 10, 2022, it’s still the responsibility of the WordPress site owners to update the plugin from their end.
And to note, the current patch update ( v.3.0.0 ) is only good for sites with Block Editors, leaving the ones with Classic editors vulnerable. As of now, it’s found that only half of the total 30,000 sites have updated this plugin.
