WordFence experts have discovered three dangerous RCE vulnerabilities in the popular PHP Everywhere plugin, which is used by 30,000 WordPress sites. All bugs were rated 9.9 out of 10 on the CVSS vulnerability rating scale and can be used to remotely execute arbitrary code.
As the name suggests, PHP Everywhere makes it easy for WordPress site administrators to inject PHP code into any page, sidebar, post, or any Gutenberg block.
Problems found by experts can be exploited by both contributors and simple subscribers, and bugs are dangerous for all versions of WordPress from 2.0.3 and below.
The first vulnerability is identified as CVE-2022-24663 and is related to the fact that WordPress allows authenticated users to use shortcodes using AJAX parse-media-shortcode. That is, if the user is logged in (even if he has low privileges as a regular subscriber), the request sent by him with the shortcode parameter can be used to execute arbitrary PHP code, which can eventually lead to a full resource grab.
The second issue, CVE-2022-24664, is related to how PHP Everywhere manages metaboxes and allows any user with the edit_posts ability to use these functions.
“Untrusted contributor-level users can use the PHP Everywhere metabox to execute arbitrary code on the site by creating a post, adding PHP code to the PHP Everywhere metabox, and then previewing that post,” experts say. “While this vulnerability has the same CVSS score as the shortcode vulnerability, it is less severe because it requires contributor privileges.”
The third vulnerability has received the identifier CVE-2022-24665 and consists in the fact that users with edit_posts rights can use Gutenberg blocks in PHP Everywhere. That is, an attacker gets the opportunity to interfere with the operation of the site and execute arbitrary code. This functionality can be restricted with the admin-only option, although versions prior to 2.0.3 do not have this implemented by default.
The developer of PHP Everywhere released a patched version of the plugin back on January 10, 2022, giving it the number 3.0.0. Unfortunately, according to official statisticsso far only about 15,000 out of 30,000 sites have updated the plugin to a secure version.