The plug-in’s default settings spawned flaws that could allow for full site takeover but have since been fixed in an update that users should immediately install, Wordfence researchers said.
Tens of thousands of WordPress sites are at risk from critical vulnerabilities in a widely used plug-in that facilitates the use of PHP code on a site.
One of the bugs allows any authenticated user of any level – even subscribers and customers – to execute code that can completely take over a site that has the plugin installed, researchers have found.
Researchers from Wordfence Threat Intelligence discovered three critical vulnerabilities in PHP Everywhere, a plug-in installed on more than 30,000 WordPress sites, as they revealed in a blog post published Tuesday. The plug-in does precisely what its name suggests, allowing WordPress site developers to put PHP code in various components of a site, including pages, posts and sidebars.
See also: https://www.bleepingcomputer.com/news/security/php-everywhere-rce-flaws-threaten-thousands-of-wordpress-sites/