WordPress plugins have high-risk RCE vulnerabilities, and only 50% of website fixes PHPEverywhere is an open source WordPress plugin

WordPress plugins have high-risk RCE vulnerabilities, with only 50% of website fixes

PHP Everywhere is an open source WordPress plugin that was recently revealed to have three serious security vulnerabilities that have been used by more than 30,000 websites worldwide and could be exploited by attackers to execute arbitrary code on affected websites.

PHP Everywhere enables PHP code on WordPress anytime, anywhere, enabling users to insert and execute PHP-based code on pages, posts, and sidebars of content management systems, and the plugin also supports different user limits and multiple PHP instances.

All three vulnerabilities were rated 9.9 out of 10 in the CVSS rating system, affecting versions 2.0.3 and below, with the following details:

CVE-2022-24663 - This vulnerability allows any authenticated user to perform shortcode through parse-media-shortcode AJAX operations for remote code execution (logged-in users with almost no permissions on a website could also take over a fully web site, i.e. a subscriber in WordPress).

CVE-2022-24664 - Remote code execution via metabox (this vulnerability requires WordPress contributor-level permissions and is therefore less severe).

CVE-2022-24665 - Remote code execution via gutenberg blocks (also requires WordPress contributor-level permissions)

If the website has these three vulnerabilities, hackers will be able to exploit them and execute malicious PHP code, or even achieve a complete takeover of the website.

WordPress security company Wordfence disclosed these vulnerabilities to alexander Fuchs, the plugin's author, on January 4, and subsequently released a version 3.0.0 update on January 12, which completely removed the vulnerable code.

The update description for PHP Everywhere shows:

The 3.0.0 update to this plugin has a significant change that removes the PHP Everywhere shortcode and widget. Run the upgrade wizard from the plugin's settings page to migrate your legacy code to gutenberg blocks.

It should be noted that version 3.0.0 only supports PHP code snippets through the Block editor, which makes it imperative that users who still rely on the classic editor uninstall the plugin and download an alternative solution to host custom PHP code.

According to WordPress statistics, only 15,000 websites have updated the plugin so far since the bugs were fixed.