Wordfence experts found three critical remote code execution vulnerabilities in the PHP Everywhere WordPress plugin, all the issues have received a CVSS score of 9.9.
The plugin that allows WordPress admins to insert PHP code in pages, posts, the sidebar, or any Gutenberg block, to display dynamic content based on evaluated PHP expressions.
“On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin installed.” reads the advisory published by Wordfence. “As the vulnerabilities were of critical severity, we contacted the WordPress plugin repository with our disclosure in addition to initiating outreach to the plugin author.”
The plugin is used by over 30,000 websites worldwide, an attacker could exploit the three flaws to execute arbitrary code on affected systems.
Below is the list of the three vulnerabilities that affect versions 2.0.3 and below:
The development team addressed the flaw in January with the release of version 3.0.0.
Experts pointed out that version 3.0.0 only supports PHP snippets via the Block editor, this means that users who are still relying on the Classic Editor have to uninstall the plugin and chose another solution for using custom PHP code.
(SecurityAffairs – hacking, WordPress)