The WordPress plugin PHP Everywhere which enables using PHP codes everywhere in the website has been found vulnerable. The flawed plugin is installed on more than 30,000 websites; making them vulnerable to attacks.
Three flaws allowing RCE
The vulnerabilities of PHP Everywhere that have been found allow remote code execution and they have varying CVSS scores between 4.8 and 7.2. CVE-20222-24663 works by Subscriber+ component via shortcodes and it has a CVSS score of 7.2. CVE-2022-24664 affects Contributor+ users via metabox with a 4.8 CVSS score. The last one is CVE-2022-24665 and it also affects the Contributor+ component, but this time it can be abused by Gutenberg blocks. It has a CVSS score of 5.4.
Even if the CVSS scores are relatively low, it is urgent to apply the patch since it allows RCE
An attack using those vulnerabilities might result in a complete site takeover. Websites using the PHP Everywhere plugin with 2.0.3 or lower version are at great risk. The developer of the plugin has published the 3.0.0 version, which completely disables PHP snippets via Classic Editor, does not carry such risk.
Updating the PHP Everywhere plugin to the latest version is urgent but you should be aware of the possible problems on the website related to those snippets that are placed via Classic Editor. As a solution, you can use the following PHP Everywhere alternatives:
For PHP shortcodes, you can use the Insert PHP Code Snippet plugin
For PHP widgets, you can use the Code Widget plugin