fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

PHP Everywhere RCE Flaws Threaten Thousands of WordPress Sites

PHP Everywhere RCE Flaws Threaten Thousands of WordPress Sites

Researchers found three critical remote code execution (RCE) vulnerabilities in the ‘PHP Everywhere’ plugin for WordPress, used by over 30,000 websites worldwide.

PHP Everywhere is a plugin that allows WordPress admins to insert PHP code in pages, posts, the sidebar, or any Gutenberg block, and use it to display dynamic content based on evaluated PHP expressions.

Three RCE flaws

The three vulnerabilities were discovered by security analysts at Wordfence and can be exploited by contributors or subscribers, affecting all WordPress versions from 2.0.3 and below.

Also Read: Data Minimization; Why Bigger is Not Always Better

Here’s a short description of the flaws:

  • CVE-2022-24663 – Remote code execution flaw exploitable by any subscriber  by allowing them to send a request with the ‘shortcode’ parameter set to PHP Everywhere, and execute arbitrary PHP code on the site. (CVSS v3 score: 9.9)
  • CVE-2022-24664 – RCE vulnerability exploitable by contributors via the plugin’s metabox. An attacker would create a post, add a PHP code metabox, and then preview it. (CVSS v3 score: 9.9)
  • CVE-2022-24665 – RCE flaw exploitable by contributors who have the ‘edit_posts’ capability and can add PHP Everywhere Gutenberg blocks. Default security setting on vulnerable plugin versions isn’t on ‘admin-only’ as it should be. (CVSS v3 score: 9.9)

While the last two flaws aren’t easily exploitable as they require contributor-level permissions, the first vulnerability is a lot more open to broader exploitation as it can be exploited by just being a subscriber on the site.

For example, a logged-in customer on a site is considered a ‘subscriber,’ so merely registering on the target platform would be enough to gain enough privileges for malicious PHP code execution.

In all cases, executing arbitrary code on a site can lead to a complete site takeover, which is the worst possible scenario in website security.

Fix only for Block editor

Wordfence’s team discovered the vulnerabilities on January 4, 2022, and informed the author of PHP Everywhere of its findings.

The vendor released a security update on January 10, 2022, with version 3.0.0, which took a major version number bump because it required a substantial code rewrite.

Also Read: Vulnerability Management For Cybersecurity Dummies

While the developers fixed the update last month, it is not uncommon for admins to not regularly update their WordPress site and plugins. According to the download stats on WordPress.org, only 15,000 installs out of 30,000 have updated the plugin since the bugs were fixed.

Therefore, due to the severity of these vulnerabilities, all users of PHP Everywhere are strongly advised to make sure they have upgraded to PHP Everywhere version 3.0.0, which is the latest available at this time.

Note that if you’re using the Classic Editor on your site, you will need to uninstall the plugin and find another solution for hosting custom PHP code on its components.

That is because version 3.0.0 only supports PHP snippets via the Block editor, and it’s unlikely that the author will work on restoring functionality for the sun-setting Classic.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us