PHP Everywhere code execution bugs impact thousands of WordPress websites

The remote code execution flaws are of critical severity.
Written by Charlie Osborne, Contributing Writer

Critical remote code execution (RCE) vulnerabilities in a popular WordPress plugin have been made public. 

The RCE bugs impact PHP Everywhere, a utility for web developers to be able to use PHP code in pages, posts, the sidebar, or anywhere with a Gutenberg block – editor blocks in WordPress – on domains using the content management system (CMS). 

The plugin is used on over 30,000 websites. 

According to the WordFence Threat Intelligence team, the three vulnerabilities in PHP Everywhere all lead to remote code execution in versions of the software below 2.0.3.

The first vulnerability is tracked as CVE-2022-24663 and has been issued a CVSS severity score of 9.9. 

WordPress allows authenticated users to execute shortcodes via the parse-media-shortcode AJAX action. In this case, if users who are logged in – even if they have almost no permissions, such as if they are a subscriber – a crafted request parameter could be sent to execute arbitrary PHP, leading to full website takeover. 

CVE-2022-24664, also issued a severity score of 9.9, is the second RCE vulnerability disclosed by the security researchers. This vulnerability was found in how PHP Everywhere manages metaboxes – draggable edit boxes – and how the software permits any user with the edit_posts capability to use these functions.

"Untrusted contributor-level users could use the PHP Everywhere metabox to achieve code execution on a site by creating a post, adding PHP code to the PHP Everywhere metabox, and then previewing the post," WordFence says. "While this vulnerability has the same CVSS score as the shortcode vulnerability, it is less severe, since it requires contributor-level permissions."

The third vulnerability is tracked as CVE-2022-24665 and has also been issued 9.9 on the severity scale. All users with edit_posts permissions can use PHP Everywhere Gutenberg blocks, and attackers could tamper with a website's functionality by executing arbitrary PHP code through these functions. 

It was possible to set this function to administrators only, but in versions of the software below 2.0.3, this could not be implemented by default. 

WordFence disclosed the vulnerabilities to the developer on January 4, who rapidly developed a set of fixes. On January 10, a patched version of the plugin, v.3.0.0, was rolled out. 

The developer, Alexander Fuchs, says that the update has caused a "breaking change" due to the necessary removal of some Block editor functionality, and so users facing problems – such as if they are relying on the Classic Editor – will need to also upgrade old code to Gutenberg blocks or find another solution to run PHP. 

At the time of writing, just over 30% of users have upgraded, and so many websites are still running vulnerable versions of the plugin. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards