Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Code Execution Flaws Patched in ‘PHP Everywhere’ WordPress Plugin

Thousands of WordPress websites were impacted by three remote code execution vulnerabilities that were identified in the PHP Everywhere plugin, the Wordfence team at WordPress security company Defiant warns.

Thousands of WordPress websites were impacted by three remote code execution vulnerabilities that were identified in the PHP Everywhere plugin, the Wordfence team at WordPress security company Defiant warns.

With more than 30,000 downloads, the PHP Everywhere plugin is an open-source plugin designed to enable PHP code everywhere in the WordPress installation.

The latest PHP Everywhere iteration was released last month with patches for three critical vulnerabilities (CVSS score of 9.9) that could allow users with low privileges to execute code on the WordPress sites that use the plugin.

The most severe of these issues is CVE-2022-24663, a vulnerability that allows any authenticated user, including subscribers and customers, to “execute shortcodes via the parse-media-shortcode AJAX action,” Wordfence explains.

An attacker looking to exploit the bug would need to send a crafted request with a specific shortcode parameter to execute arbitrary PHP code on the site, which would typically lead to complete site takeover.

The other two security flaws, which are tracked as CVE-2022-24664 and CVE-2022-24665, require for the attacker to have at least contributor-level permissions on the vulnerable site, meaning that impact is less severe.

[READ: Hacked AccessPress Site Served Backdoored WordPress Plugins, Themes]

CVE-2022-24664 existed because all users with the edit_posts capability, including untrusted contributors, could use the PHP Everywhere metabox. Thus, they could create a post containing PHP code in the PHP Everywhere metabox, and achieve code execution by previewing the post.

Advertisement. Scroll to continue reading.

“While this vulnerability has the same CVSS score as the shortcode vulnerability, it is less severe, since it requires contributor-level permissions, which imply some degree of trust and are more difficult to obtain than subscriber-level permissions,” Wordfence says.

CVE-2022-24665 existed because, by default, all users with the edit_posts capability could use the PHP Everywhere Gutenberg block (this could be set to admin-only). Thus, contributor-level users could create a post, add the PHP everywhere block with code in it, and preview the post to achieve code execution.

The security holes were reported to PHP Everywhere’s maintainers on January 4. Version 3.0.0 of the plugin was released on January 10 with patches for all three vulnerabilities.

Related: Critical Flaw Impacts WordPress Plugin With 1 Million Installations

Related: WordPress 5.8.3 Patches Several Injection Vulnerabilities

Related: Critical Flaw in WordPress Plugin Leads to Database Wipe

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.