CVE-2022-24663 PHP Code Snippets can be executed via WordPress shortcodes in PHP Everywhere =2.0.3.

The snipping functionality was disabled by default in PHP 5.3 and 5.4 due to security issues. If you were using PHP 5.3 or 5.4, you were vulnerable to attacks.

Execution of arbitrary PHP code via WordPress plugins is considered a major security risk. It can be used by attackers to execute malicious code or to steal data.

##

It is recommended to upgrade to a newer version of PHP if possible. You can also turn off the snipping functionality via Settings > Reading. Shortcodes are disabled by default in WordPress versions 4.9 and higher. If you are still using an earlier version of WordPress, you likely have this vulnerability. You can fix it by upgrading to a newer version of WordPress. If you are on a stable version of WordPress and cannot upgrade, you can disable the shortcode functionality via Settings > Reading.

How to check if you’re vulnerable?

PHP versions 5.3 and 5.4 are vulnerable to an attack known as CVE-2022-24663. This attack can be used to execute arbitrary PHP code via WordPress plugins, which can result in malicious code or the theft of data. If you are using any version of PHP prior to 5.3 or 5.4, you are vulnerable to this attack. In addition, shortcodes are disabled by default in WordPress versions 4.9 and higher, so if you’re still using a previous version of WordPress, you likely have this vulnerability as well. To check if you are vulnerable, follow these steps:

1) Install a plugin that uses the snipping functionality (e.g., Better WP Snippets)
2) Attempt to use the snipping functionality

How to check if you are vulnerable to execution of arbitrary PHP code via WordPress plugins?

You can easily check if you are vulnerable to execution of arbitrary PHP code via WordPress plugins by visiting Settings > Reading and checking if the snipping function is enabled. If it is, your website could potentially be vulnerable to attacks.

How to check if you are vulnerable?

If you have an older version of WordPress, the shortcode functionality may have been disabled. If you are on a stable version of WordPress and cannot upgrade, you can disable the shortcode functionality via Settings > Reading.

Timeline

Published on: 02/16/2022 17:15:00 UTC
Last modified on: 02/24/2022 15:19:00 UTC

References

• https://www.wordfence.com/blog/2022/02/critical-vulnerabilities-in-php-everywhere-allow-remote-code-execution/
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24663