Lucene search

K
thnThe Hacker NewsTHN:22A85B390F226B7E1945EF65C6A4E8C8
HistoryFeb 10, 2022 - 6:34 a.m.

Critical RCE Flaws in 'PHP Everywhere' Plugin Affect Thousands of WordPress Sites

2022-02-1006:34:00
The Hacker News
thehackernews.com
35

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

48.5%

WordPress

Critical security vulnerabilities have been disclosed in a WordPress plugin known as PHP Everywhere that’s used by more than 30,000 websites worldwide and could be abused by an attacker to execute arbitrary code on affected systems.

PHP Everywhere is used to flip the switch on PHP code across WordPress installations, enabling users to insert and execute PHP-based code in the content management system’s Pages, Posts, and Sidebar.

The three issues, all rated 9.9 out of a maximum of 10 on the CVSS rating system, impact versions 2.0.3 and below, and are as follows -

  • CVE-2022-24663 - Remote Code Execution by Subscriber+ users via shortcode
  • CVE-2022-24664 - Remote Code Execution by Contributor+ users via metabox, and
  • CVE-2022-24665 - Remote Code Execution by Contributor+ users via gutenberg block

Successful exploitation of the three vulnerabilities could result in the execution of malicious PHP code that could be leveraged to achieve a complete site takeover.

WordPress security company Wordfence said it disclosed the shortcomings to the plugin’s author, Alexander Fuchs, on January 4, following which updates were issued on January 12, 2022 with version 3.0.0 by removing the vulnerable code entirely.

“The update to version 3.0.0 of this plugin is a breaking change that removes the [php_everywhere] shortcode and widget,” the updated description page of the plugin now reads. “Run the upgrade wizard from the plugin’s settings page to migrate your old code to Gutenberg blocks.”

It’s worth noting that version 3.0.0 only supports PHP snippets via the Block editor, necessitating that users who are still relying on the Classic Editor to uninstall the plugin and download an alternative solution for hosting custom PHP code.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

6.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

0.001 Low

EPSS

Percentile

48.5%