Vulnerabilities in the plugin PHP Everywhere, installed by more than 30,000 WordPress instances, allow attackers to inject malicious code. This could allow you to take over the WordPress instance. The rights of a normal user are sufficient, explains the IT security company Wordfence. The plugin developer closes the gaps in an updated version.
In total, the researchers list three security gaps in their security report. The first allowed all registered users to inject any code via shortcode (CVE-2022-24663, CVSS 9.9risk critical). Shortcodes are functions that WordPress implements in tables, image galleries and the like, for example. Attackers could have used the shortcode
php_everywhere run any PHP and take over WordPress:
However, contributor rights are required to exploit the second vulnerability. This would allow an attacker to create a post, inject arbitrary PHP code into the PHP Everywhere metabox, and execute it by opening the preview (CVE-2022-24664, CVSS 9.9, critical). The third vulnerability affects the PHP Everywhere Gutenberg block, which users with contributor privileges could also abuse (CVE-2022-24665, CVSS 9.9, critical). Gutenberg is the default WordPress editor.
Install updates quickly
It is unclear whether the vulnerabilities have already been misused in the wild to compromise WordPress sites. Wordfence does not write anything in the security warning about attacks that have already been observed.
The developer of the plug-in fixed the security gaps in version 3.0 of PHP Everywhere. Administrators should install the update immediately. After the update, some plug-in users observe that the shortcode no longer works and they now have to use the Gutenberg block – but those affected should do this work themselves. The solution suggested in the plugin comments of simply reinstalling the old plugin puts the website at serious risk and is therefore not a valid option. Where the update is not possible, Wordfence even recommends completely uninstalling PHP Everywhere.
- WordPress: Download quickly and securely from heise.de
To home page