Security News > 2022 > February > Critical RCE Flaws in 'PHP Everywhere' Plugin Affect Thousands of WordPress Sites
Critical security vulnerabilities have been disclosed in a WordPress plugin known as PHP Everywhere that's used by more than 30,000 websites worldwide and could be abused by an attacker to execute arbitrary code on affected systems.
PHP Everywhere is used to flip the switch on PHP code across WordPress installations, enabling users to insert and execute PHP-based code in the content management system's Pages, Posts, and Sidebar.
Successful exploitation of the three vulnerabilities could result in the execution of malicious PHP code that could be leveraged to achieve a complete site takeover.
WordPress security company Wordfence said it disclosed the shortcomings to the plugin's author, Alexander Fuchs, on January 4, following which updates were issued on January 12, 2022 with version 3.0.0 by removing the vulnerable code entirely.
"The update to version 3.0.0 of this plugin is a breaking change that removes the shortcode and widget," the updated description page of the plugin now reads.
It's worth noting that version 3.0.0 only supports PHP snippets via the Block editor, necessitating that users who are still relying on the Classic Editor to uninstall the plugin and download an alternative solution for hosting custom PHP code.
News URL
https://thehackernews.com/2022/02/critical-rce-flaws-in-php-everywhere.html
Related news
- Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices (source)
- HPE warns of critical RCE flaws in Aruba Networking access points (source)
- Critical Veeam RCE bug now used in Frag ransomware attacks (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
- Urgent: Critical WordPress Plugin Vulnerability Exposes Over 4 Million Sites (source)
- Critical RCE bug in VMware vCenter Server now exploited in attacks (source)
- Critical 9.8-rated VMware vCenter RCE bug exploited after patch fumble (source)
- Critical WordPress Anti-Spam Plugin Flaws Expose 200,000+ Sites to Remote Attacks (source)
- Veeam warns of critical RCE bug in Service Provider Console (source)
- Exploit released for critical WhatsUp Gold RCE flaw, patch now (source)