A serious vulnerability in the PHP Everywhere WordPress extension allows attackers to take over foreign websites completely. An update has now been made available and should be installed by administrators as soon as possible. security researchers from wordfence discovered that PHP Everywhere has three dangerous vulnerabilities. A vulnerability called CVE-2022-24663 allows all registered users to inject code via shortcode. Hackers only need to create a normal account and do not have administrator rights.
The two vulnerabilities CVE-2022-24664 and CVE-2022-24665 allow contributors to paste and run their PHP code into the metabox and Gutenberg editor. Infographic Often heard – never used: protective measures on the internet
PHP Everywhere is used by over 30,000 WordPress instances and adds PHP support to areas of the website where PHP code cannot normally be used. The extension allows administrators to use PHP code in posts, on subpages, in the sidebar, and generally anywhere a Gutenberg text block can be placed. The developer of the plugin responded to the vulnerabilities found within hours and made a patch available. The critical vulnerabilities have been fixed with version 3.0.
Anyone using PHP Everywhere in conjunction with their WordPress installation should download the latest build as soon as possible. If the update cannot be performed, the plugin must be completely removed. While some users report that some features don’t work as usual after updating, administrators should definitely not revert to the previous version to avoid compromising their site’s security.
Digital marketing enthusiast and industry professional in Digital technologies, Technology News, Mobile phones, software, gadgets with vast experience in the tech industry, I have a keen interest in technology, News breaking.