WordPress Plugin Vulnerabilities

PHP Everywhere < 3.0.0 - Subscriber+ RCE via Shortcode

Description

The plugin allows any authenticated users, such as subscriber to execute PHP via the php_everywhere shortcode

Affects Plugins

Plugin icon
php-everywhere
Fixed in 3.0.0

References

CVE
CVE-2022-24663
URL
https://www.wordfence.com/blog/2022/02/critical-vulnerabilities-in-php-everywhere-allow-remote-code-execution/

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
9.9 (critical)

Miscellaneous

Original Researcher
Ramuel Gall (Wordfence)
Verified
Yes
WPVDB ID
bd32c35f-548c-4284-8507-4e7ec9d9d4bd

Timeline

Publicly Published
2022-02-08 (about 4 years ago)
Added
2022-02-08 (about 4 years ago)
Last Updated
2022-04-11 (about 3 years ago)

Other

Published
Title
Published
2021-05-26
Title
Gallery From Files <= 1.6.0 - Unauthenticated RCE
Published
2014-08-01
Title
Kernel Theme - functions/upload-h&ler.php File Upload Remote Code Execution
Published
2021-06-07
Title
WordPress Popular Posts < 5.3.3 - Authenticated Code Injection
Published
2025-09-16
Title
WP Import – Ultimate CSV XML Importer for WordPress 7.20 - 7.28 - Authenticated (Subscriber+) Remote Code Execution via Code Injection
Published
2026-02-10
Title
Lucky Wheel Giveaway < 1.0.23 - Authenticated (Administrator+) Remote Code Execution via 'conditional_tags' Parameter