what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

PHP Everywhere 2.0.3 Remote Code Execution

PHP Everywhere 2.0.3 Remote Code Execution
Posted Feb 8, 2022
Authored by Ramuel Gall | Site wordfence.com

PHP Everywhere versions 2.0.3 and below suffer from multiple remote code execution vulnerabilities.

tags | exploit, remote, php, vulnerability, code execution
advisories | CVE-2022-24663, CVE-2022-24664, CVE-2022-24665
SHA-256 | 6a2dcc3898ac3a1b90915521a41f2d6e5e9592121ab91ccecbf993baae2e11e2

PHP Everywhere 2.0.3 Remote Code Execution

Change Mirror Download
On January 4, 2022, the Wordfence Threat Intelligence team began the responsible disclosure process for several Remote Code Execution vulnerabilities in PHP Everywhere, a WordPress plugin installed on over 30,000 websites. One of these vulnerabilities allowed any authenticated user of any level, even subscribers and customers, to execute code on a site with the plugin installed. As the vulnerabilities were of critical severity, we contacted the WordPress plugin repository with our disclosure in addition to initiating outreach to the plugin author.

We received a response from the plugin author within a few hours and sent over the full disclosure at that time. A largely rebuilt version of the plugin was made available on January 10, 2022.

What should I do if I’m running PHP Everywhere?

If you’re using the PHP everywhere plugin, it is imperative that you upgrade to the newest version, which is 3.0.0 at the time of this writing, in order to prevent your site from being exploited. Unfortunately, version 3.0.0 only supports PHP snippets via the Block editor, so if you are using the Classic Editor you will need to uninstall the plugin and find another solution. You should not continue to run older versions of PHP Everywhere under any circumstances.

Description: Remote Code Execution by Subscriber+ users via shortcode

Affected Plugin: PHP Everywhere

Plugin Slug: php-everywhere

Plugin Developer: Alexander Fuchs

Affected Versions: <= 2.0.3

CVE ID: CVE-2022-24663

CVSS Score: 9.9(Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Researcher/s: Ramuel Gall

Fully Patched Version: 3.0.0

PHP Everywhere is a WordPress plugin that is intended to allow site owners to execute PHP code anywhere on their site. It included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes. Unfortunately, WordPress allows any authenticated users to execute shortcodes via the parse-media-shortcode AJAX action, and some plugins also allow unauthenticated shortcode execution. As such it was possible for any logged-in user, even a user with almost no permissions, such as a Subscriber or a Customer, to execute arbitrary PHP on a site by sending a request with the shortcode parameter set to [php_everywhere]<arbitrary PHP>[/php_everywhere]. Executing arbitrary PHP on a site typically allows complete site takeover.

Description: Remote Code Execution by Contributor+ users via metabox

Affected Plugin: PHP Everywhere

Plugin Slug: php-everywhere

Plugin Developer: Alexander Fuchs

Affected Versions: <= 2.0.3

CVE ID: CVE-2022-24664

CVSS Score: 9.9(Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Researcher/s: Ramuel Gall

Fully Patched Version: 3.0.0

By default, the PHP Everywhere plugin allowed all users with the edit_posts capability to use the PHP Everywhere metabox.

Unfortunately this meant that untrusted Contributor-level users could use the PHP Everywhere metabox to achieve code execution on a site by creating a post, adding PHP code to the PHP Everywhere metabox, and then previewing the post. While this vulnerability has the same CVSS score as the shortcode vulnerability, it is less severe, since it requires contributor-level permissions, which imply some degree of trust and are more difficult to obtain than subscriber-level permissions. This is due to the CVSS scoring system which does not allow “Medium” in the “Privileges Required” field.

Description: Remote Code Execution by Contributor+ users via gutenberg block

Affected Plugin: PHP Everywhere

Plugin Slug: php-everywhere

Plugin Developer: Alexander Fuchs

Affected Versions: <= 2.0.3

CVE ID: CVE-2022-24665

CVSS Score: 9.9(Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Researcher/s: Ramuel Gall

Fully Patched Version: 3.0.0

By default, the PHP Everywhere plugin allowed all users with the edit_posts capability to use the PHP Everywhere Gutenberg block. While it was possible to set this to admin-only, this was not set by default due to versions <= 2.0.3 not being able to add capability checks without disabling the Gutenberg Block editor. We worked with the plugin author to overcome this limitation when we sent our disclosure.

Unfortunately this meant that contributor-level users could execute arbitrary PHP code on a site by creating a post, adding the PHP everywhere block and adding code to it, and then previewing the post. As with the metabox vulnerability, this has the same CVSS score as the shortcode vulnerability but is less severe as it requires Contributor-level permissions to exploit.

Timeline

January 4, 2022 – We release a firewall rule available to Wordfence Premium, Wordfence Care, and Wordfence Response customers. We begin the disclosure process with the plugin author and disclose to the WordPress plugin repository. The plugin author responds and we send over full disclosure.

January 10, 2022 – A Patched version, 3.0.0, is released.

February 3, 2022 – The firewall rule becomes available to free Wordfence users.

Conclusion

In today’s article, we discussed a set of vulnerabilities in the PHP Everywhere plugin which could be used for complete site takeover.

If you know anyone running this plugin we strongly advise forwarding this advisory to them, as these vulnerabilities are very easy to exploit and can be used to quickly and completely take over a site.

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close