CVE-2022-24664 – CVE-2022-24664 is a critical remote code execut... (How to Fix)

Q: How do I fix CVE-2022-24664?

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find PHP Everywhere plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 2.0.4+ from WordPress repository and replace plugin files.

Q: What is the severity of CVE-2022-24664?

CVE-2022-24664 has a CVSS score of 9.9 (CRITICAL). CVE-2022-24664 is a critical remote code execution vulnerability in PHP Everywhere WordPress plugin. It allows any user with post editing permissions to execute arbitrary PHP code via metaboxes, potentially leading to complete site compromise. This affects WordPress sites running PHP Everywhere plugin version 2.0.3 or earlier.

📋 TL;DR

CVE-2022-24664 is a critical remote code execution vulnerability in PHP Everywhere WordPress plugin. It allows any user with post editing permissions to execute arbitrary PHP code via metaboxes, potentially leading to complete site compromise. This affects WordPress sites running PHP Everywhere plugin version 2.0.3 or earlier.

💻 Affected Systems

Products:

PHP Everywhere WordPress Plugin

Versions: <= 2.0.3

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with PHP Everywhere plugin enabled. Any user with edit_posts capability (contributor role or higher by default) can exploit.

📦 What is this software?

Php Everywhere by Php Everywhere Project

View all CVEs affecting Php Everywhere →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to execute arbitrary code, steal data, install backdoors, deface websites, or pivot to other systems.

🟠

Likely Case

Unauthorized users with post editing access can execute PHP code to gain administrative privileges, modify site content, or install malware.

🟢

If Mitigated

With proper user access controls and plugin updates, risk is limited to authorized users only, but still presents significant threat if those accounts are compromised.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and any user with editing permissions can exploit this vulnerability remotely.

🏢 Internal Only: MEDIUM - Internal users with editing permissions could exploit, but requires authenticated access to WordPress admin interface.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access to WordPress admin with post editing permissions. Public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.4

Vendor Advisory: https://wordpress.org/plugins/php-everywhere/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find PHP Everywhere plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 2.0.4+ from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable PHP Everywhere Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate php-everywhere

Restrict User Capabilities

all

Remove edit_posts capability from non-administrative users

wp user remove-role <username> contributor
wp user remove-role <username> author
wp user remove-role <username> editor

🧯 If You Can't Patch

Immediately disable PHP Everywhere plugin on all affected WordPress sites
Implement strict user access controls and review all users with post editing permissions

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins → PHP Everywhere version. If version is 2.0.3 or lower, system is vulnerable.

Check Version:

wp plugin get php-everywhere --field=version

Verify Fix Applied:

Verify PHP Everywhere plugin version is 2.0.4 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual PHP execution in WordPress metaboxes
Multiple failed login attempts followed by successful login and plugin modification
Unexpected file creation in wp-content/plugins/php-everywhere directory

Network Indicators:

HTTP POST requests to /wp-admin/post.php with PHP code in parameters
Unusual outbound connections from WordPress server

SIEM Query:

source="wordpress.log" AND ("php-everywhere" OR "metabox" OR "execute_code") AND status=200

📊 Metadata

CVE ID: CVE-2022-24664

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-94

Published: February 16, 2022

Last Updated: November 21, 2024

🔗 References

https://www.wordfence.com/blog/2022/02/critical-vulnerabilities-in-php-everywhere-allow-remote-code-execution/ Third Party Advisory
https://www.wordfence.com/blog/2022/02/critical-vulnerabilities-in-php-everywhere-allow-remote-code-execution/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24664, you might also want to check these: