"Critical Code Execution Flaws Patched in 'PHP Everywhere' WordPress Plugin"

Security researchers at Defiant, a WordPress security company, discovered that thousands of WordPress websites were impacted by three remote code execution vulnerabilities that were identified in the PHP Everywhere plugin. With more than 30,000 downloads, the PHP Everywhere plugin is an open-source plugin designed to enable PHP code everywhere in the WordPress installation. Last month, the latest PHP Everywhere iteration was released with patches for three critical vulnerabilities (CVSS score of 9.9). The most severe of these issues is CVE-2022-24663, a vulnerability that allows any authenticated user, including subscribers and customers, to “execute shortcodes via the parse-media-shortcode AJAX action. An attacker looking to exploit the bug would need to send a crafted request with a specific shortcode parameter to execute arbitrary PHP code on the site, which would typically lead to complete site takeover. The other two security flaws, which are tracked as CVE-2022-24664 and CVE-2022-24665, require the attacker to have at least contributor-level permissions on the vulnerable site, meaning that the impact is less severe. The researchers stated that CVE-2022-24664 existed because all users with the edit_posts capability, including untrusted contributors, could use the PHP Everywhere metabox. Thus, they could create a post containing PHP code in the PHP Everywhere metabox, and achieve code execution by previewing the post. CVE-2022-24665 existed because, by default, all users with the edit_posts capability could use the PHP Everywhere Gutenberg block (this could be set to admin-only). Thus, contributor-level users could create a post, add the PHP everywhere block with code in it, and preview the post to achieve code execution. The security holes were reported to PHP Everywhere’s maintainers on January 4. Version 3.0.0 of the plugin was released on January 10 with patches for all three vulnerabilities.

 

SecurityWeek reports: "Critical Code Execution Flaws Patched in 'PHP Everywhere' WordPress Plugin"

Submitted by Anonymous on