A series of three security flaws in the PHP Everywhere plugin could allow attackers to run malicious code on more than 30,000 websites that use the WordPress content management system. The vulnerabilities were found in January and are now patched, with admins being advised to update the extension as soon as possible.
The plugin is used to insert PHP elements into pages, posts, menus and any other editable blocks used by WordPress to display dynamic content. The most serious of the loopholes, however, allowed users without administration credentials to also submit requests with code that could be used for malicious purposes.
Two other loopholes were also considered severe, although their use was more complex. In the first, through changes to the plugin’s metadata, it would be possible to create posts and view them in preview mode, opening the door to the malicious use of legitimate domains, while a third made it possible to directly change blocks. Here, however, changes were needed to the plugin’s default security settings, which reduced the scope of exploits.
Want to stay on top of the best tech news of the day? Access and subscribe to our new youtube channel, Kenyannews News. Every day a summary of the main news from the tech world for you!
In all cases, executing malicious code remotely could lead to different ends, from publishing fake pages for use in phishing attacks to a complete takeover of website administration. In the first two cases, a simple registration, as a reader, was enough for the malicious use capabilities of PHP to be possible.
The vulnerabilities were discovered in early January by Wordfence, which specializes in securing WordPress sites, and required reprogramming the plugin. Proof of this is that the software went from version 2.0.3 directly to 3.00, which is already available and should be installed as soon as possible by page administrators.
Updating WordPress plugins is a safety indicator
According to official content management system data, at least half of the more than 30,000 PHP Everywhere users have not yet updated the plugin to its latest version. They remain susceptible to exploits that are now known to the public and, as such, can be used by criminals with an eye on, precisely, pages without maintenance or care.
This recommendation, by the way, applies to all plugins, as well as WordPress itself, which must always be running their latest versions. Keeping track of registered users and undue changes also helps to indicate possible compromises, especially common in site manager extensions.
