CVE-2022-24663 in PHP Everywhere Plugin
Summary
by MITRE • 02/16/2022
PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/29/2026
This vulnerability exists within the PHP Everywhere plugin version 2.0.3 and earlier, where the software includes a feature that permits the execution of php code snippets through wordpress shortcodes. The flaw represents a critical security weakness that allows any authenticated user to execute arbitrary code on the target system. The vulnerability stems from insufficient input validation and access control mechanisms within the plugin's shortcode processing functionality.
The technical implementation of this vulnerability occurs when an authenticated user submits a malicious shortcode containing php code to the wordpress installation. The plugin fails to properly sanitize or validate the incoming shortcode parameters, allowing the execution of arbitrary php commands within the context of the web server process. This type of vulnerability aligns with CWE-94, which describes improper control of generation of code, specifically encompassing the execution of untrusted code through inadequate validation of user-supplied input.
The operational impact of this vulnerability is severe as it provides attackers with a pathway to execute arbitrary commands on the affected wordpress installation. An authenticated attacker can leverage this weakness to upload malicious files, establish backdoors, access sensitive data, or even compromise the entire server infrastructure. The vulnerability essentially transforms any authenticated user into a potential attacker capable of executing code at the web server level, making it particularly dangerous in multi-user environments where users may have varying permission levels.
From an attack perspective, this vulnerability maps to several techniques within the attack framework including privilege escalation and code injection. The flaw enables attackers to bypass normal access controls and execute malicious php code directly through wordpress shortcodes. Security practitioners should note that this represents a classic example of insufficient input sanitization combined with inadequate access control checks. The vulnerability affects any wordpress installation running the affected plugin version, regardless of the underlying server configuration or security measures in place.
Mitigation strategies include immediate patching of the PHP Everywhere plugin to version 2.0.4 or later, which addresses this specific vulnerability. System administrators should also implement additional security measures such as restricting shortcode usage to trusted users only, implementing web application firewalls to monitor and block suspicious shortcode requests, and conducting regular security audits of installed plugins. The recommended approach involves disabling the problematic functionality entirely if it is not essential for operations, while also ensuring that all wordpress installations maintain current versions with proper security patches applied. Organizations should consider implementing principle of least privilege controls to limit which users can submit shortcodes containing executable code.