CVE-2022-24663
Remote Code Execution by Subscriber+ users via WordPress shortcode
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track*
*SSVC
Descriptions
PHP Everywhere <= 2.0.3 included functionality that allowed execution of PHP Code Snippets via WordPress shortcodes, which can be used by any authenticated user.
PHP Everywhere versiones anteriores a 2.0.3 incluyéndola, incluía una funcionalidad que permitía una ejecución de PHP Code Snippets por medio de los shortcodes de WordPress, que podían ser usados por cualquier usuario autenticado
PHP Everywhere versions 2.0.3 and below suffer from multiple remote code execution vulnerabilities.
*Credits:
Ramuel Gall, Wordfence
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track*
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2022-01-04 CVE Published
- 2022-02-07 CVE Reserved
- 2022-02-08 First Exploit
- 2025-01-31 CVE Updated
- 2025-02-04 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-94: Improper Control of Generation of Code ('Code Injection')
CAPEC
References (2)
| URL | Tag | Source |
|---|---|---|
| https://www.wordfence.com/blog/2022/02/critical-vulnerabilities-in-php-everywhere-allow-remote-code-execution | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://packetstorm.news/files/id/165895 | 2022-02-08 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Php Everywhere Project Search vendor "Php Everywhere Project" | Php Everywhere Search vendor "Php Everywhere Project" for product "Php Everywhere" | <= 2.0.3 Search vendor "Php Everywhere Project" for product "Php Everywhere" and version " <= 2.0.3" | wordpress |
Affected
| ||||||