CVE-2022-24665 Overview
CVE-2022-24665 is a Code Injection vulnerability affecting the PHP Everywhere plugin for WordPress. The plugin versions 2.0.3 and earlier included functionality that allowed execution of PHP Code Snippets via a WordPress Gutenberg block by any user able to edit posts. This vulnerability enables authenticated attackers with minimal privileges to execute arbitrary PHP code on the server, potentially leading to complete site compromise.
Critical Impact
Authenticated users with post editing capabilities can execute arbitrary PHP code on the WordPress server, enabling full site takeover, data theft, and malware deployment.
Affected Products
- PHP Everywhere plugin for WordPress versions <= 2.0.3
- WordPress installations with PHP Everywhere plugin enabled
- Any WordPress site allowing contributor-level or higher user access
Discovery Timeline
- 2022-02-16 - CVE-2022-24665 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-24665
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code, or 'Code Injection'). The PHP Everywhere plugin provides functionality to embed PHP code snippets within WordPress content using Gutenberg blocks. The core issue is that the plugin fails to implement adequate authorization checks on who can use these PHP execution capabilities.
Any authenticated user with the ability to edit posts—including contributors who typically have very limited site access—can leverage this functionality to execute arbitrary PHP code on the server. This represents a severe privilege escalation vector, as contributor-level accounts should never have server-side code execution capabilities.
The impact of successful exploitation is extensive: attackers can read sensitive configuration files (including database credentials in wp-config.php), install backdoors, modify site content, exfiltrate user data, or use the compromised server as a launching point for further attacks.
Root Cause
The root cause of this vulnerability lies in insufficient authorization checks within the PHP Everywhere plugin's Gutenberg block implementation. The plugin permits any user capable of editing posts to insert and execute PHP code blocks, without validating whether that user should have such elevated privileges. In WordPress's permission model, contributors can create and edit their own posts but cannot publish them without review. However, this vulnerability allows them to execute PHP code during the editing process, bypassing the intended security boundaries.
Attack Vector
The attack can be executed remotely over the network by any authenticated user with post-editing capabilities. The attacker authenticates to WordPress with a low-privilege account (such as a contributor), creates or edits a post, inserts a PHP Everywhere Gutenberg block containing malicious PHP code, and the code executes on the server when the post is previewed or processed. No user interaction beyond the attacker's own actions is required.
Since no verified exploit code examples are available, the vulnerability mechanism can be summarized as follows: the attacker leverages the Gutenberg block editor to insert a PHP Everywhere block containing arbitrary PHP code such as system commands or file operations. When WordPress processes this block, the PHP code executes with the web server's privileges. For detailed technical information, refer to the Wordfence security advisory.
Detection Methods for CVE-2022-24665
Indicators of Compromise
- Presence of PHP Everywhere Gutenberg blocks in posts authored by low-privilege users (contributors, authors)
- Unexpected PHP code snippets in WordPress post content or metadata
- Suspicious file modifications or new files in WordPress directories (especially in uploads or plugin directories)
- Unusual outbound network connections from the web server
- Web server error logs showing PHP execution errors from post content processing
Detection Strategies
- Review WordPress database for posts containing php_everywhere or similar block identifiers from non-administrator users
- Monitor the wp_posts table for content containing PHP code patterns (e.g., <?php, eval(, system(, exec()
- Implement file integrity monitoring on WordPress core, plugin, and theme directories
- Deploy web application firewall (WAF) rules to detect PHP code injection attempts in post content
Monitoring Recommendations
- Enable detailed WordPress audit logging to track post creation and editing by user role
- Set up alerts for new user account creation, especially accounts elevated to contributor level or above
- Monitor web server access logs for unusual POST requests to WordPress admin endpoints
- Configure SentinelOne to detect suspicious process execution chains originating from web server processes
How to Mitigate CVE-2022-24665
Immediate Actions Required
- Update PHP Everywhere plugin to version 3.0.0 or later immediately
- Audit all existing posts for malicious PHP code blocks inserted by non-administrator users
- Review user accounts and revoke unnecessary contributor-level or higher access
- Consider temporarily deactivating the PHP Everywhere plugin until the update is applied
- Scan the WordPress installation for backdoors or webshells that may have been installed via exploitation
Patch Information
The vulnerability was addressed in PHP Everywhere version 3.0.0, which implemented proper capability checks to ensure only administrators can execute PHP code via the plugin. Site administrators should update to the latest available version through the WordPress plugin repository. After updating, verify the plugin version by navigating to Plugins > Installed Plugins in the WordPress admin dashboard.
For additional context on this vulnerability and related issues in the plugin, see the Wordfence security advisory.
Workarounds
- If updating is not immediately possible, deactivate the PHP Everywhere plugin until the patch can be applied
- Restrict user registration and limit the number of accounts with contributor-level or higher permissions
- Implement a Web Application Firewall (WAF) with rules to block PHP code patterns in POST request bodies
- Use WordPress security plugins to enforce stricter content filtering and capability restrictions
# Configuration example - Disable PHP Everywhere plugin via WP-CLI
wp plugin deactivate php-everywhere --path=/var/www/html/wordpress
# Verify plugin is disabled
wp plugin list --status=inactive --path=/var/www/html/wordpress | grep php-everywhere
# Update PHP Everywhere to patched version
wp plugin update php-everywhere --path=/var/www/html/wordpress
# Audit posts for suspicious PHP content (search for PHP tags in post content)
wp db query "SELECT ID, post_author, post_title FROM wp_posts WHERE post_content LIKE '%<?php%' OR post_content LIKE '%php_everywhere%'" --path=/var/www/html/wordpress
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
