Critical RCE Vulnerabilities in WordPress Plugin PHP Everywhere

We would like to bring your attention to the following set of critical vulnerabilities that we have recently become aware of within the WordPress plugin ‘PHP Everywhere’.

Description

Three remote code execution vulnerabilities have been identified within the WordPress ‘PHP Everywhere’ plugin, affecting all versions of WordPress 2.0.3 and lower. Whilst these are all authenticated vulnerabilities, one of which, only requires a subscriber tier user account, which can be obtained through any present registration processes.

• CVE-2022-24663 – Remote Code Execution flaw in which any subscriber can send a request containing shortcode set to:

 [php_everywhere]<arbitrary PHP>[/php_everywhere] 

via the parse-media-shortcode action triggering arbitrary code execution on the site.

• CVE-2022-24664 – Remote Code Execution flaw in which any user with the edit_posts privilege, typically that of a contributor, can achieve code execution via the use of the PHP Everywhere Metabox.

• CVE-2022-24665 – Remote Code Execution flaw in which any user with the edit_posts privilege, typically that of a contributor, can achieve code execution via the use of the PHP Everywhere Gutenberg block. However it should be noted that while it is possible to limit this feature to admin-only, it is not set by default.

The ‘PHP Everywhere’ plugin is believed to be installed on around one in a thousand WordPress instances.

Remediation

All of these flaws have been fully patched within the latest 3.0.0 patch of PHP Everywhere, which was released on January 10th 2022. Additionally, a WordFence firewall rule was also released on February 3rd 2022 to all free tier sites to help capture and prevent these attacks.

References

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24663

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24664

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24665

• https://www.wordfence.com/blog/2022/02/critical-vulnerabilities-in-php-everywhere-allow-remote-code-execution/

• https://www.bleepingcomputer.com/news/security/php-everywhere-rce-flaws-threaten-thousands-of-wordpress-sites/

• https://thehackernews.com/2022/02/critical-rce-flaws-in-php-everywhere.html

• https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Weaponized patience: the strategic implications of the F5 breach

The F5 breach reveals the growing danger of shared infrastructure attacks. As adversaries learn faster than defenders, the only path to resilience is continuous, adaptive testing.…

Everyone has a plan until they get punched in the face: reflections on the NCSC 2025 annual review

The NCSC Annual Review 2025 delivers a reality check. Highly significant cyber incidents have increased by 50 percent year over year. It’s time to act.

Part 3: CBEST Series – The Future of Threat-Led Penetration Testing

Regulated testing like CBEST is pivotal, but as threats shift, organizations must adopt more strategic, agile threat-led penetration testing. Discover what’s next.