Critical remote code execution vulnerabilities in WordPress PHP everywhere Plugin

Threat Level – Amber | Vulnerability Report
Download PDF


For a detailed advisory, download the pdf file here

Three critical remote code execution (RCE) vulnerabilities in a WordPress plugin PHP everywhere have been discovered. It is a plugin that allows web developers to utilize PHP code in pages, posts, the sidebar, or anywhere on domains that use the content management system (CMS). This plugin has been installed on over 30,000 websites.

The first vulnerability which has been assigned CVE-2022-24663, allows an authorized attacker to execute shortcodes via the parse-media-shortcode AJAX call. In this case, if users are signed in then even if they have absolutely no access, such as a subscriber, a forged request parameter might be provided to run arbitrary PHP code, resulting in full website takeover.

The second RCE vulnerability has been assigned CVE-2022-24664. This flaw was discovered in the way PHP Everywhere controls metaboxes, draggable edit boxes and how the software allows any user with the edit posts capability to access these functionalities. Untrusted contributor-level users might use the PHP Everywhere metabox to execute code on a site by generating a post, inserting PHP code into the PHP Everywhere metabox, and previewing the post. While this vulnerability has the same severity as the shortcode vulnerability, it is less severe because contributor-level permissions are required.

The third vulnerability is tracked as CVE-2022-24665. An attacker could tamper a website’s functionality by executing arbitrary PHP code through ‘edit_posts’ permissions of PHP Everywhere Gutenberg blocks.

These vulnerabilities have been fixed in version 3.0.0.

Potential MITRE ATT&CK TTPs are:

TA0040: Impact

TA0001: Initial Access       

TA0002: Execution

TA0007: Discovery

TA0003: Persistence

T1190: Exploit-public facing application

T1518: Software Discovery

T1565: Data Manipulation

T1059: Command and Scripting Interpreter

T1505: Server Software Component

T1505.003: Server Software Component: Web Shell

Vulnerability Details

Patch Link


What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox