PT-2022-1626 · WordPress · Php Everywhere

Ramuel Gall

Published

2022-01-04

Updated

2022-02-24

CVE-2022-24665

CVSS v3.1

9.9

Critical

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions PHP Everywhere versions prior to 2.0.4

Description The issue is related to the incorrect management of code generation in the PHP Everywhere plugin, specifically with the edit posts capability. This allows any user who can edit posts to execute PHP code snippets via a WordPress Gutenberg block. The exploitation of this issue may enable a remote attacker to execute arbitrary code using Gutenberg blocks.

Recommendations For PHP Everywhere versions prior to 2.0.4, update to version 2.0.4 or later to resolve the issue. As a temporary workaround, consider restricting access to the edit posts capability to minimize the risk of exploitation.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94

Related Identifiers

BDU:2022-00856

CVE-2022-24665

Affected Products

Php Everywhere

PT-2022-1626 · WordPress · Php Everywhere

CVE-2022-24665

Weakness Enumeration

Related Identifiers

Affected Products

References · 7