PHP Everywhere code execution bug can impact thousands of WordPress sites

Researchers found a critical remote code execution vulnerability in the plugin used by over 30 000 websites worldwide

Remote code execution bugs found in WordPress PHP plugin

PHP Everywhere is the plugin that allows admins to insert code in pages, posts, sidebar. The flaw can be used by threat actors to run the arbitrary code on any of the affected systems.^[1] These reports disclose three vulnerabilities that all lead to code execution and have a critical severity rate.^[2]

One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin installed.

WordPress typically allows authenticated users to run shortcodes CIA the parse-media-shortcode AJAX action. If the user gets to log in a request can be sent regarding the initial permissions. So people with little to no permissions can send the arbitrary code PHP and takeover the wanted website.

Some of the functions that are potentially affected can be implemented to administrators only, but versions lower than 2.0.3 might not have the feature implemented by default. This means that vulnerabilities can be exploited by contributors, subscribers and these issues affect WordPress versions below 2.0.3.

Three discovered vulnerability with a critical rate as high as 9.9

The first vulnerability tracked CVE-2022-24663^[3] is reaching the severity CVSS code of 9.9. The second flaw, CVE-2022-24664 has the same severity code and was found in the PHP Everywhere managing metaboxes. The feature controls how the software permits any user with edit_posts capability to use functions like a draggable edit box.

Attackers could use the flaw in PHP Everywhere metabox and achieve the code execution on a site by just creating a post, adding the PHP code, previewing the post. It is critical, but the severity rate is not indicating the major issue because the exploitation of the flaw still requires contributor-level permissions.

The third discovered vulnerability – CVE-2022-24665 also receives the CVSS severity rate of 9.9. This flaw is related to the fact that all users with the edit_posts permissions can use the PHP Everywhere Gytenberb blocks. Threat actors might tamper with the functionality of the particular website and run the arbitrary code through these features.^[4]

The patched version is available

The Team WordFence that found these vulnerabilities also disclosed the findings with the developer.^[5] Less than a week after the disclosure the patched version of the plugin was released, so v.3.0.0 is now available. The update addressed these flaws and include the necessary removal of some editor functions. Unfortunately, users face some issues because of this change.

If people get to work as they rely on the Classic Editor. The issue can be resolved by upgrading the old code to Gutenberg blocks or looking for another solution to run PHP. AT least 30% of users have upgraded to avoid exploitation, but there are thousands of vulnerable websites to this day.

Eeven though two of the vulnerabilities require contributor-level permissions for exploitation, executing the arbitrary code on the site can lead to a complete hijack of the website. This is the worst thing that can happen in regards to website security. Due to the critical severity of these bugs, all users are advised to make sure to upgrade to PHP Everywhere 3.0.0.