PHP Everywhere is an open source WordPress plugin, which was recently disclosed to have three serious security vulnerabilities, the plugin has been used by more than 30,000 websites worldwide, attackers can The vulnerability can be exploited to execute arbitrary code on the affected site.


PHP Everywhere enables PHP code on WordPress from anywhere, enabling users to insert and execute PHP-based code on pages, posts, and sidebars in the content management system. The plugin also supports different user restrictions and multiple instances of PHP.

All three vulnerabilities are rated 9.9 out of 10 in the CVSS rating system and affect versions 2.0.3 and below, with specific details of the vulnerabilities as follows.

  • CVE-2022-24663 - The vulnerability allows any authenticated user to execute shortcodes (shortcode) via the parse-media-shortcode AJAX operation, resulting in remote code execution (a logged-in user with little or no privileges on the site can also completely take over the site, i.e., a subscriber in WordPress).
  • CVE-2022-24664 - Remote code execution via metabox (this vulnerability requires WordPress contributor-level privileges and is therefore less severe).
  • CVE-2022-24665 - Remote code execution via gutenberg block (again, requires WordPress contributor-level privileges)

If a site has these three vulnerabilities, a hacker will be able to exploit them and execute malicious PHP code, or even achieve a complete takeover of the site.

WordPress security firm Wordfence disclosed these vulnerabilities to the plugin’s author, Alexander Fuchs, on January 4, and subsequently released a version 3.0.0 update on January 12 that completely removed the vulnerable code.

The update notes for PHP Everywhere indicate that.

The version 3.0.0 update of this plugin features significant changes, removing the PHP Everywhere shortcode and widget. Run the upgrade wizard from the plugin’s settings page to migrate your old code to Gutenberg blocks.

Note that version 3.0.0 only supports PHP code snippets via the Block editor, making it necessary for users who still rely on the classic editor to uninstall the plugin and download an alternative solution to host custom PHP code.

According to WordPress statistics, only 15,000 sites have been updated with the plugin since the bug was fixed.