Researchers discovered a number of severe security bugs leading to code execution in the WordPress plugin PHP Everywhere. Given its number of active installations, the vulnerable plugin potentially affected over 30,000 websites.
PHP Everywhere Plugin Bugs
Wordfence has disclosed details about the three security bugs that riddled the PHP Everywhere plugin.
PHP Everywhere is a popular plugin facilitating WordPress developers with PHP coding in various site components. Users can use this plugin to customize site components, create custom forms, and more.
According to the blog post, Wordfence found a serious code execution bug in PHP Everywhere plugin that any underprivileged user could exploit. Describing this critical vulnerability (CVE-2022-24663; CVSS 9.9), the post reads,
Unfortunately, WordPress allows any authenticated users to execute shortcodes via the
parse-media-shortcode
AJAX action, and some plugins also allow unauthenticated shortcode execution. As such it was possible for any logged-in user, even a user with almost no permissions, such as a Subscriber or a Customer, to execute arbitrary PHP on a site by sending a request with theshortcode
parameter set to[php_everywhere]<arbitrary PHP>[/php_everywhere]
. Executing arbitrary PHP on a site typically allows complete site takeover.
The second vulnerability (CVE-2022-24664) was also a related one, achieving a similar CVSS score of 9.9. While the first vulnerability existed allowed PHP code execution via WordPress shortcodes, the second bug allowed the same via metabox.
By default, the PHP Everywhere plugin allowed all users with the
edit_posts
capability to use the PHP Everywhere metabox.
Then, the third flaw (CVE-2022-24665; CVSS 9.9) also has a similar impact. Here, exploiting the bug could become possible via Gutenberg block.
By default, the PHP Everywhere plugin allowed all users with the
edit_posts
capability to use the PHP Everywhere Gutenberg block.
Patch Deployed
Upon discovering the flaws that affected all plugin versions until 2.0.3, Wordfence reached out to the plugin developers. Appreciably, the authors quickly addressed the matter and released a major update with version 3.0.0. PHP Everywhere plugin users should update their sites to this version to avoid any exploitation.