PHP Everywhere Plugin Bug Affects WordPress Sites
Share this:
A Remote Code Execution vulnerabilities in PHP Everywhere exposed by the threat intelligence team. This WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin installed.
Wordfence Premium users received a firewall rule protecting against these vulnerabilities, on January 4, 2022.
Wordfence Care and Response was launched which will get real-time threat intelligence updates. Wordfence Care and Wordfence Response customers received the firewall rule immediately upon subscription and will continue to receive firewall rules and other real-time threat intelligence as soon as it is released.
Sites still using the free version of Wordfence received the same protection 30 days after the initial release, on February 3, 2022.
If a customer has the PHP everywhere plugin running in his/her site it is imperative that you upgrade to the newest version, which is 3.0.0 at the time of this writing, in order to prevent your site from being exploited. Unfortunately version 3.0.0 only supports PHP snippets via the Block editor, so if you are using the Classic Editor you will need to uninstall the plugin and find another solution. You should not continue to run older versions of PHP Everywhere under any circumstances.
The contributor-level users could execute arbitrary PHP code on a site by creating a post, adding the PHP everywhere block and adding code to it, and then previewing the post. As with the metabox vulnerability, this has the same CVSS score as the shortcode vulnerability but is less severe as it requires Contributor-level permissions to exploit
