How To Fix Critical Remote Code Execution Vulnerabilities In PHP Everywhere WordPress Plugin

WordPress defence company Wordfence uncovered three critical remote code execution vulnerabilities in PHP Everywhere WordPress plugin. The successful exploitation of the vulnerabilities may allow attackers to any authenticated user of any level, including subscribers and customers, to execute code on the WordPress site that could lead to takeover the site. Let’s see more details about the vulnerabilities and how to fix them up.

PHP Everywhere WordPress Plugin:

This is a WordPress plugin allows website owners to insert and execute PHP code on pretty much anywhere in the site like pages, posts, sidebar, header, footer, and every place where you can place a Gutenberg block. It provide owners to insert PHP code on any part of their website.

Summary Of Critical Remote Code Execution Vulnerabilities In PHP Everywhere:

Wordfense disclosed total three remote code execution vulnerabilities on the plugin. All the three plugins are rated 9.9 on the CVSS rating system with critical severity. Let’s explore.

  1. CVE-2022-24663
  2. CVE-2022-24664
  3. CVE-2022-24665

Summary Of CVE-2022-24663:

By default, PHP Everywhere plugin allows execution of PHP Code Snippets via WordPress shortcodes. Unfortunately, this is extended to user with almost no permissions, such as a Subscriber or a Customer. This allowed any low privileged authenticated users to execute arbitrary PHP on the site just by sending a request with the shortcode parameter set to [php_everywhere]<arbitrary PHP>[/php_everywhere].

Associated CVE ID CVE-2022-24663
Description Remote Code Execution by Subscriber+ users via shortcode
Associated ZDI ID
CVSS Score 9.9 Critical
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV) Network
Attack Complexity (AC) Low
Privilege Required (PR) Low
User Interaction (UI) None
Scope Changed
Confidentiality (C) High
Integrity (I) High
availability (a) High

Summary Of CVE-2022-24664:

By default, the PHP Everywhere plugin allows all users with the edit_posts capability to use the PHP Everywhere metabox. This allows Contributor-level users to carry out remote code execution on the site by creating a post, adding PHP code to the PHP Everywhere metabox, and then previewing the post. Although it has the same CVSS score, this vulnerability is considered less severe than the first one because it requires contributor-level access to exploit this vulnerability.

Associated CVE ID CVE-2022-24664
Description Remote Code Execution by Contributor+ users via metabox
Associated ZDI ID
CVSS Score 9.9 Critical
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV) Network
Attack Complexity (AC) Low
Privilege Required (PR) Low
User Interaction (UI) None
Scope Changed
Confidentiality (C) High
Integrity (I) High
availability (a) High

Summary Of CVE-2022-24665:

By default, PHP Everywhere plugin allows all users to use PHP Everywhere Gutenberg block with the edit_posts capability. This allows Contributor-level users to carry out remote code execution on the site by creating a post, adding the PHP everywhere block with code and previewing the post.  This vulnerability is considered less severe compare to the first one although it has the same CVSS score, because it requires contributor level access to exploit this vulnerability.

Associated CVE ID CVE-2022-24665
Description Remote Code Execution by Contributor+ users via gutenberg block
Associated ZDI ID
CVSS Score 9.9 Critical
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV) Network
Attack Complexity (AC) Low
Privilege Required (PR) Low
User Interaction (UI) None
Scope Changed
Confidentiality (C) High
Integrity (I) High
availability (a) High

How To Fix Critical Remote Code Execution Vulnerabilities In PHP Everywhere WordPress Plugin?

These vulnerabilities affect the PHP plugin less than or equal to version 2.0.3. Plugin author has addressed these vulnerabilities in v3.0.0. We urge you to immediately upgrade to the version greater or equal to 3.0.0 to fix the RCE vulnerabilities.

Important note for classic WordPress editor users: The latest version, 3.0.0 doesn’t support the classic editor. The upgrade is only possible for Gutenberg users. Classic users are required to use alternate tools to have the feature.

We hope this post will help you know about How to Fix Critical Remote Code Execution Vulnerabilities in PHP Everywhere WordPress Plugin. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page in FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/270151.html

(0)
上一篇 2022年6月24日
下一篇 2022年6月24日

相关推荐

发表回复

登录后才能评论