CVE-2022-24663 Overview
CVE-2022-24663 is a code injection vulnerability in the PHP Everywhere WordPress plugin that allows any authenticated user to execute arbitrary PHP code via WordPress shortcodes. The vulnerability exists in PHP Everywhere versions 2.0.3 and earlier, where improper access controls enable low-privileged users (including subscribers) to leverage the plugin's shortcode functionality to run malicious PHP code on the server.
Critical Impact
Authenticated attackers with minimal privileges (subscriber-level) can achieve full remote code execution on vulnerable WordPress installations, potentially leading to complete site takeover, data theft, or server compromise.
Affected Products
- PHP Everywhere plugin for WordPress versions <= 2.0.3
- WordPress installations with PHP Everywhere plugin enabled
- php_everywhere_project php_everywhere
Discovery Timeline
- 2022-02-16 - CVE-2022-24663 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-24663
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code / Code Injection). The PHP Everywhere plugin was designed to allow site administrators to embed PHP code within WordPress posts and pages using shortcodes. However, the implementation failed to properly restrict which user roles could execute these shortcodes.
The vulnerability allows any authenticated user, regardless of their privilege level, to craft malicious shortcodes that execute arbitrary PHP code on the server. This represents a complete breakdown of the intended security model, where only administrators should have been able to execute PHP code.
The network-accessible nature of this vulnerability, combined with the low barrier to exploitation (only requiring basic authentication), makes it particularly dangerous for WordPress sites that allow user registration.
Root Cause
The root cause of this vulnerability lies in insufficient authorization checks within the PHP Everywhere plugin's shortcode processing functionality. The plugin failed to verify that the user initiating a PHP code execution request possessed the appropriate administrative privileges. Instead, any authenticated user—including those with the lowest privilege level (subscriber)—could invoke the shortcode functionality to execute arbitrary PHP code.
Attack Vector
The attack vector for CVE-2022-24663 is network-based and requires only low-privilege authentication. An attacker can exploit this vulnerability through the following attack chain:
- Create or obtain a subscriber-level account on the target WordPress installation
- Craft a malicious WordPress shortcode that invokes the PHP Everywhere functionality
- Embed arbitrary PHP code within the shortcode parameters
- Submit the payload through a post, comment, or other user-accessible content area
- The server processes the shortcode and executes the attacker's PHP code with web server privileges
The vulnerability allows attackers to perform various malicious actions including reading sensitive configuration files (such as wp-config.php), creating backdoor accounts, installing web shells, pivoting to other systems, or completely taking over the WordPress installation.
Detection Methods for CVE-2022-24663
Indicators of Compromise
- Unexpected PHP code execution logs in web server access logs
- New administrator accounts created without authorization
- Suspicious shortcode content in posts, comments, or user-submitted content
- Web shell files appearing in the WordPress directory structure
- Unusual outbound network connections from the web server
Detection Strategies
- Monitor WordPress database for suspicious shortcode patterns containing PHP code
- Review web server logs for POST requests with PHP code snippets in parameters
- Implement file integrity monitoring on WordPress core and plugin directories
- Audit user activity logs for subscriber accounts creating or editing posts with shortcodes
Monitoring Recommendations
- Enable comprehensive logging for all WordPress user actions
- Deploy web application firewalls (WAF) with rules to detect PHP code in user-submitted content
- Implement real-time alerting for new file creation in WordPress directories
- Monitor for privilege escalation attempts and unauthorized account creation
How to Mitigate CVE-2022-24663
Immediate Actions Required
- Update PHP Everywhere plugin to version 3.0.0 or later immediately
- Audit all subscriber and contributor accounts for suspicious activity
- Review recently created or modified posts and pages for malicious shortcodes
- Consider temporarily disabling the PHP Everywhere plugin until patching is complete
- Check for unauthorized administrator accounts and web shell files
Patch Information
The vulnerability has been addressed in PHP Everywhere version 3.0.0, which implements proper role-based access controls for PHP code execution functionality. Organizations should update to the latest version of the plugin through the WordPress admin dashboard or by downloading directly from the WordPress plugin repository.
For detailed information about this vulnerability and the patch, refer to the Wordfence Blog on PHP Vulnerabilities.
Workarounds
- Disable the PHP Everywhere plugin entirely if it is not critical to site functionality
- Restrict user registration on WordPress sites to prevent attackers from obtaining authenticated access
- Implement strict content security policies to limit shortcode processing
- Use a web application firewall to block requests containing PHP code patterns in user-controllable fields
- Remove or disable subscriber and contributor role capabilities for creating or editing posts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
