'PHP Everywhere' Plugin's Critical RCE Flaws Impact Thousands of WordPress Sites

Short News:- 

PHP Everywhere activates PHP code across all WordPress installations. It allows users to insert and execute PHP-based code in the CMS's Pages, Posts, and Sidebars. Subscriber+ and Contributor+ users can execute code through the use of the Metabox and the Gutenberg Block. Malicious PHP code could be used to take control of the entire site if the three vulnerabilities are exploited at the same time. The three issues are rated 9.9 out of a possible 10 on the CVSS scale, and they affect versions 2.0.3 and below. They could allow an attacker to execute arbitrary code on vulnerable systems.


The DoJ's seizure and takedown of AlphaBay made it possible for law enforcement to access the service's internal transaction logs. Attorney General Kenneth A. Polite Jr. said, "Today, federal law enforcement demonstrates once again that we can follow the money through the blockchain" and that "we will not allow cryptocurrency to be a safe haven for money laundering or a zone of lawlessness within our financial system." 


'PHP Everywhere' Plugin's Critical RCE Flaws Impact Thousands of WordPress Sites


Detailed News:- 

An investigation has revealed that PHP Everywhere, a WordPress plugin that is used by more than 30,000 websites around the world, contains critical security flaws that could allow an attacker to execute arbitrary code on vulnerable systems.


PHP Everywhere activates PHP code across all WordPress installations, allowing users to insert and execute PHP-based code in the CMS's Pages, Posts, and Sidebars. PHP Everywhere is a free plugin available for download from the WordPress repository.


The three issues are rated 9.9 out of a possible 10 on the CVSS scale, and they affect versions 2.0.3 and below.


CVE-2022-24663 - Subscriber+ users have the ability to remotely execute code through the use of a shortcode.

Contributor+ users can execute code through the use of the Metabox and the Gutenberg Block. CVE-2022-24665


Malicious PHP code could be used to take control of the entire site if the three vulnerabilities are exploited at the same time, which is possible.


On January 4, the author Alexander Fuchs received notification from WordPress security company Wordfence, which released updated on January 12, 2022, with version 3.0.0, which completely removed the vulnerable code and rendered the site inoperable.


"The update to version 3.0.0 of this plugin is a breaking change that removes the [php everywhere] shortcode and widget," according to the plugin's newly revised description page. The plugin's upgrade wizard can be used to convert your old code into Gutenberg blocks for easier editing.


The Block editor only supports PHP snippets as of version 3.0.0, so users who are still using the Classic Editor will need to uninstall the plugin and install a different solution for hosting custom PHP code.

0 Comments

Your suggestions and comments are welcome

Post a Comment

Your suggestions and comments are welcome

Post a Comment (0)

Previous Post Next Post