Critical Remote Code Execution Vulnerabilities in WordPress PHP Everywhere

PHP Everywhere has released a security update to address several remote code execution vulnerabilities found in the WordPress PHP Everywhere plugin.

The vulnerabilities are:

CVE-2022-24663 - A vulnerability that allows users with almost no permissions, such as a subscriber, to execute arbitrary PHP code on a site by sending a request with the shortcode parameter set to 'PHP Everywhere'. This could allow the complete takeover of the site.

CVE-2022-24664 - A vulnerability that allows untrusted contributor-level users to use the PHP Everywhere metabox to achieve remote code execution on a site. The vulnerability can be exploited by creating a post, adding PHP code to the PHP Everywhere metabox, and then previewing the post. 

CVE-2022-24665 - A vulnerability that allows untrusted contributor-level users to use the PHP Everywhere Gutenberg block to achieve remote code execution on a site. The vulnerability can be exploited by creating a post, adding PHP code to the PHP Everywhere block, and then previewing the post.

These vulnerabilities affect versions 2.0.3 and earlier of the WordPress PHP Everywhere plugin.

Administrators are advised to upgrade to the latest version immediately.

More information is available here:
https://www.bleepingcomputer.com/news/security/php-everywhere-rce-flaws-threaten-thousands-of-wordpress-sites/ 
https://www.wordfence.com/blog/2022/02/critical-vulnerabilities-in-php-everywhere-allow-remote-code-execution/ 
https://packetstormsecurity.com/files/165895/PHP-Everywhere-2.0.3-Remote-Code-Execution.html