WordPress takeover through critical vulnerabilities in PHP Everywhere

Vulnerabilities in the plugin PHP Everywhere, installed by more than 30,000 WordPress instances, allow attackers to inject malicious code. This could allow you to take over the WordPress instance. The rights of a normal user are sufficient, explains the IT security company Wordfence. The plugin developer closes the gaps in an updated version.

Multiple vulnerabilities

In total, the researchers list three security gaps in their security report. The first allowed all registered users to inject any code via shortcode (CVE-2022-24663, CVSS 9.9risk critical). Shortcodes are functions that WordPress implements in tables, image galleries and the like, for example. Attackers could have used the shortcode php_everywhere run any PHP and take over WordPress: [php_everywhere]<beliebiges PHP>[/php_everywhere].

However, contributor rights are required to exploit the second vulnerability. This would allow an attacker to create a post, inject arbitrary PHP code into the PHP Everywhere metabox, and execute it by opening the preview (CVE-2022-24664, CVSS 9.9, critical). The third vulnerability affects the PHP Everywhere Gutenberg block, which users with contributor privileges could also abuse (CVE-2022-24665, CVSS 9.9, critical). Gutenberg is the default WordPress editor.

Install updates quickly

It is unclear whether the vulnerabilities have already been misused in the wild to compromise WordPress sites. Wordfence does not write anything in the security warning about attacks that have already been observed.

The developer of the plug-in fixed the security gaps in version 3.0 of PHP Everywhere. Administrators should install the update immediately. After the update, some plug-in users observe that the shortcode no longer works and they now have to use the Gutenberg block – but those affected should do this work themselves. The solution suggested in the plugin comments of simply reinstalling the old plugin puts the website at serious risk and is therefore not a valid option. Where the update is not possible, Wordfence even recommends completely uninstalling PHP Everywhere.

Source code editor Visual Studio Code gets the Copilot Chat ready to go

Data integration: Apache Hop 2.4 supports DuckDB and scripting in ECMAScript

2022 was supposed to be the year of the Metaverse. Something went wrong?

Rating of the best mobile phones of 2022. 10 nominations in different categories

Hamburg District Court: Uberspace may no longer host Youtube-DL

Test drive Citroen C5 Aircross Hybrid: a look into the future

SAMP / T air defense system: Mamba is waiting for Russians under the Christmas tree

Logos as phishing antidotes in e-mails: Apple goes along with BIMI

Rating of the best laptops in 2022. 10 nominations in different categories

WordPress takeover through critical vulnerabilities in PHP Everywhere

Multiple vulnerabilities

Install updates quickly