The remote code execution flaws are of critical severity.
Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London.
Critical remote code execution (RCE) vulnerabilities in a popular WordPress plugin have been made public.
The RCE bugs impact PHP Everywhere, a utility for web developers to be able to use PHP code in pages, posts, the sidebar, or anywhere with a Gutenberg block – editor blocks in WordPress – on domains using the content management system (CMS).
The plugin is used on over 30,000 websites.
According to the WordFence Threat Intelligence team, the three vulnerabilities in PHP Everywhere all lead to remote code execution in versions of the software below 2.0.3.
The first vulnerability is tracked as CVE-2022-24663 and has been issued a CVSS severity score of 9.9.
WordPress allows authenticated users to execute shortcodes via the parse-media-shortcode AJAX action. In this case, if users who are logged in – even if they have almost no permissions, such as if they are a subscriber – a crafted request parameter could be sent to execute arbitrary PHP, leading to full website takeover.
CVE-2022-24664, also issued a severity score of 9.9, is the second RCE vulnerability disclosed by the security researchers. This vulnerability was found in how PHP Everywhere manages metaboxes – draggable edit boxes – and how the software permits any user with the edit_posts capability to use these functions.
“Untrusted contributor-level users could use the PHP Everywhere metabox to achieve code execution on a site by creating a post, adding PHP code to the PHP Everywhere metabox, and then previewing the post,” WordFence says. “While this vulnerability has the same CVSS score as the shortcode vulnerability, it is less severe, since it requires contributor-level permissions.”
The third vulnerability is tracked as CVE-2022-24665 and has also been issued 9.9 on the severity scale. All users with edit_posts permissions can use PHP Everywhere Gutenberg blocks, and attackers could tamper with a website’s functionality by executing arbitrary PHP code through these functions.
It was possible to set this function to administrators only, but in versions of the software below 2.0.3, this could not be implemented by default.
WordFence disclosed the vulnerabilities to the developer on January 4, who rapidly developed a set of fixes. On January 10, a patched version of the plugin, v.3.0.0, was rolled out.
The developer, Alexander Fuchs, says that the update has caused a “breaking change” due to the necessary removal of some Block editor functionality, and so users facing problems – such as if they are relying on the Classic Editor – will need to also upgrade old code to Gutenberg blocks or find another solution to run PHP.
At the time of writing, just over 30% of users have upgraded, and so many websites are still running vulnerable versions of the plugin.
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
Trio of RCE CVSS 10 vulnerabilities among 15 CVEs in Cisco small business routers
CISA issues advisory warning of critical vulnerabilities in Airspan Networks Mimosa
SAP releases patches for ICMAD vulnerabilities, log4j issues, more
Microsoft, Oracle, Apache and Apple vulnerabilities added to CISA catalog
Brute-forcing passwords, ProxyLogon exploits were some of 2021’s most popular attack methods
FritzFrog botnet returns to attack healthcare, education, government sectors
Bad news for developers? This AI is getting very good at writing code
Microsoft February 2022 Patch Tuesday: 48 bugs squashed, one zero-day resolved
Best online information technology associate degree 2022: Top picks
Please review our terms of service to complete your newsletter subscription.