WordPress Plugin Vulnerabilities

PHP Everywhere < 3.0.0 - Contributor+ RCE via Gutenberg Block

Description

The plugin allows any users with a role as low as contributor to execute PHP via the Gutenberg Block of the plugin in posts

Affects Plugins

Plugin icon
php-everywhere
Fixed in 3.0.0

References

CVE
CVE-2022-24665
URL
https://www.wordfence.com/blog/2022/02/critical-vulnerabilities-in-php-everywhere-allow-remote-code-execution/

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
9.9 (critical)

Miscellaneous

Original Researcher
Ramuel Gall (Wordfence)
Verified
Yes
WPVDB ID
ad27ae7e-fffa-499c-9cee-250789439a23

Timeline

Publicly Published
2022-02-08 (about 4 years ago)
Added
2022-02-08 (about 4 years ago)
Last Updated
2022-04-13 (about 3 years ago)

Other

Published
Title
Published
2025-04-10
Title
Everest Forms < 3.1.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
Published
2025-11-24
Title
Sneeit Framework < 8.4 - Unauthenticated Remote Code Execution in sneeit_articles_pagination_callback
Published
2025-02-17
Title
PressMart - Modern Elementor WooCommerce WordPress Theme < 1.2.17 - Unauthenticated Arbitrary Shortcode Execution
Published
2023-12-05
Title
Astra Pro < 4.3.2 - Authenticated(Contributor+) Remote Code Execution via Metabox
Published
2014-08-01
Title
W3 Total Cache - Remote Code Execution