PHP Everywhere Plugin Found to be Vulnerable to Remote Code Execution: Exists on Thousands of WordPress Sites?

Researchers have discovered three critical remote code execution (RCE) vulnerabilities in the PHP Everywhere plugin for WordPress, which is used by more than 30,000 websites around the world.

On January 4, 2022, the Wordfence Threat Intelligence team will be responsible for the disclosure process of multiple remote code execution vulnerabilities in the WordPress plugin PHP Everywhere, which is installed on over 30,000 websites. Everywhere, which is installed on over 30,000 websites, has begun the process of responsibly disclosing multiple remote code execution vulnerabilities. One of these vulnerabilities allowed authenticated users at any level, including subscribers and customers, to execute code on the site where the plugin was installed. Since this vulnerability is a serious issue, we reached out to the plugin authors and disclosed the information to the WordPress plugin repository.

PHP Everywhere is a plugin that allows WordPress administrators to insert PHP code into pages, posts, sidebars and Gutenberg blocks and use it to display dynamic content based on evaluated PHP expressions.

3 RCE flaws

These three vulnerabilities, discovered by security analysts at Wordfence, can be exploited by contributor or subscriber users, and affect all WordPress versions below 2.0.3.

The following is a summary of each vulnerability.

  • CVE-2022-24663 – A remote code execution vulnerability can be exploited by any subscriber user to send a request with the “shortcode” parameter set to PHP Everywhere and execute arbitrary PHP code on the site. This can be done. (CVSS v3 Score: 9.9)
  • CVE-2022-24664 – RCE vulnerability that can be exploited by posters via the metabox plugin. An attacker can create a post, add a metabox in PHP code, and then preview it. (CVSS v3 Score: 9.9)
  • CVE-2022-24665 – RCE vulnerability can be exploited by posters with ‘edit_posts’ privilege by adding a PHP Everywhere Gutenberg block. In the vulnerable version of the plugin, the default security setting is not “admin only” as it should be. (CVSS v3 score: 9.9)

The last two vulnerabilities can’t be easily exploited because they require contributor-level permissions, but the first vulnerability can be exploited more broadly because it can be exploited just by being a subscriber to the site.

For example, a customer who logs into a site is considered a “subscriber”, and thus can gain enough privileges to execute malicious PHP code just by registering with the target platform.

In both cases, executing arbitrary code on a site can lead to a complete takeover of the site, which is the worst-case scenario in website security.

Block Editor Only Fix

The team at Wordfence discovered this vulnerability on January 4, 2022 and informed the authors of PHP Everywhere of it.

The vendor released a security update on January 10, 2022, releasing version 3.0.0, which required a major code rewrite, resulting in a significant increase in the version number.

The developers fixed the update last month, but it’s not uncommon for administrators to not regularly update their WordPress sites and plugins.

According to’s download statistics, only 15,000 out of 30,000 installations have updated the plugin since the bug was fixed.

Therefore, due to the severity of these vulnerabilities, we strongly recommend that all PHP Everywhere users make sure that they have upgraded to the latest PHP Everywhere version 3.0.0 at this time.

In addition, if you are using the Classic Editor on your site, you will need to uninstall the plugin and find another solution to host your custom PHP code on that component.

This is because version 3.0.0 only supports PHP snippets via the Block editor, and it is unlikely that the author will do any work to restore the functionality for Classic.

Leave a Reply

Your email address will not be published.