“PHP Everywhere” plugin for WordPress, which is used by more than 30,000 websites, has three critical remote code execution (RCE) vulnerabilities. PHP Everywhere, a plugin, allows WordPress admin to use the PHP Everywhere plugin to plant PHP code in pages, posts, the sidebar, or any Gutenberg block. Further, the admin uses PHP Everywhere to exhibit dynamic content: evaluated PHP expressions constitute such dynamic content.
Security analysts at Wordfence identified three vulnerabilities; contributors or subscribers can exploit vulnerabilities, and the vulnerability affects all WordPress versions 2.0.3 and below.
The three vulnerabilities
- CVE-2022-24663– A subscriber can exploit this remote code execution flaw. The flaw allows subscribers to send a request, request having a “shortcode” criteria tuned to PHP Evreywhere, and carry out arbitrary PHP code on the site. The flaw scores 9.9 on the CVSS v3.
- CVE-2022-24664-Contributors can exploit the RCE vulnerability through the plugin’s meta box. An attacker can build a post, include a PHP code metabox, review it; The flaw scores 9.9 on the CVSS v3.
- CVE-2022-2465– Contributors, who can ‘edit_posts’, can exploit this RCE flaw; Contributors can add PHP Everywhere Gutenberg blocks. The vulnerable plugin versions don’t have the ‘admin-only’ as default configuration, which plugin versions should have. The flaw scores 9.9 on CVSS v3.
The last two flaws are difficult to exploit as they need contributor-level permissions; however, the first vulnerability can be exploited on a broader scale as it requires someone to be only a subscriber to exploit the flaw.
For example, a person who logs in on a website is a subscriber; therefore, just by registering on the target platform, the person can execute malicious PHP code.
In all the above scenarios, if the arbitrary code is executed, the website can be completely hacked—the worst outcome
The vulnerabilities were uncovered by Wordfence’s team on January 4, 2022, and they alerted the PHP Everywhere author about their findings.
The vendor came out with a security update on January 10, 2022; the version was called 3.0.0: a considerable jump in version as code for the version required an overhaul.
Although the developers have fixed the vulnerability through the update, admins, usually, are slow in updating their WordPress site and plugins. According to download stats on WordPress.org, only half the number of users have updated their plugins since the bugs were patched.
As these vulnerabilities are critical, it is advised that all PHP Everywhere users update their plugins to version 3.0.0—the latest one.
Reference
