Three RCE Vulnerabilities in PHP Everywhere Threaten Mass WordPress Sites

PHP Everywhere is an open source WordPress plugin that allows WordPress administrators to insert PHP code in pages, posts, sidebars or any Gutenberg block and use it to display dynamic content based on evaluated PHP expressions.

Wordfence security researchers recently discovered three RCE vulnerabilities in PHP Everywhere, all of which have a CVSS score of 9.9 (the highest score is 10), and will affect all WordPress versions 2.0.3 and later. They are CVE-2022-24663, CVE-2022-24664, and CVE-2022-24665.

At present, more than 30,000 websites around the world use this plug-in, and attackers can use this plug-in to execute arbitrary code on the affected system, putting a large number of WP websites at risk.

Brief descriptions of the three vulnerabilities are as follows:

• CVE-2022-24663 – A remote code execution vulnerability that could be exploited by any subscriber to send a request with the "shortcode" parameter set to PHP Everywhere and execute arbitrary PHP code on a site.
• CVE-2022-24664 - A remote code execution vulnerability that contributors can exploit through a plugin's metabox. An attacker would create a post, add a PHP code meta box, and preview it.
• CVE-2022-24665 - Remote code execution vulnerability exploitable by contributors with the "edit_posts" feature to use Gutenberg blocks. The default security setting for vulnerable plugin versions is not "Administrators only".

Wordfence, the company behind WordPress, said it notified the plugin's author, Alexander Fuchs, of the issue on January 4, and released a new version, 3.0.0, on January 12, which completely removed the vulnerable code.

The plugin's update description page states, "The 3.0.0 update has breaking changes that remove PHP Everywhere shortcodes and widgets. Run the plugin settings page's updater to migrate legacy code to Gutenberg blocks."

It's worth noting that version 3.0.0 only supports PHP code snippets through the block editor, which means that users who rely on the classic editor must uninstall the plugin and choose another solution that uses custom PHP code.