Security News > 2022 > February > PHP Everywhere RCE flaws threaten thousands of WordPress sites
PHP Everywhere is a plugin that allows WordPress admins to insert PHP code in pages, posts, the sidebar, or any Gutenberg block, and use it to display dynamic content based on evaluated PHP expressions.
CVE-2022-24663 - Remote code execution flaw exploitable by any subscriber by allowing them to send a request with the 'shortcode' parameter set to PHP Everywhere, and execute arbitrary PHP code on the site.
CVE-2022-24665 - RCE flaw exploitable by contributors who have the 'edit posts' capability and can add PHP Everywhere Gutenberg blocks.
A logged-in customer on a site is considered a 'subscriber,' so merely registering on the target platform would be enough to gain enough privileges for malicious PHP code execution.
Wordfence's team discovered the vulnerabilities on January 4, 2022, and informed the author of PHP Everywhere of its findings.
Due to the severity of these vulnerabilities, all users of PHP Everywhere are strongly advised to make sure they have upgraded to PHP Everywhere version 3.0.0, which is the latest available at this time.
News URL
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-02-16 | CVE-2022-24665 | Code Injection vulnerability in PHP Everywhere Project PHP Everywhere PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via a WordPress gutenberg block by any user able to edit posts. | 8.8 |
| 2022-02-16 | CVE-2022-24663 | Code Injection vulnerability in PHP Everywhere Project PHP Everywhere PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user. | 8.8 |