CVE-2022-24663: 
WordPress vulnerability analysis and mitigation

The PHP Everywhere WordPress plugin (versions <= 2.0.3) contained a critical vulnerability identified as CVE-2022-24663. The vulnerability was discovered in February 2022 and allowed the execution of PHP Code Snippets through WordPress shortcodes by any authenticated user, including those with minimal privileges such as subscribers (WPScan, NVD).

The vulnerability is classified as a Code Injection (CWE-94) issue. It received a CVSS v3.1 base score of 9.9 (Critical) from Wordfence and 8.8 (High) from NVD, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The technical nature of the vulnerability revolves around improper control of code generation, allowing authenticated users to execute arbitrary PHP code through WordPress shortcodes (NVD).

The vulnerability allows any authenticated user, including those with minimal privileges such as subscribers, to execute arbitrary PHP code on the affected WordPress installation. This could lead to complete site compromise, as attackers could potentially gain unauthorized access, modify content, or execute malicious code on the server (WPScan).

The vulnerability was fixed in PHP Everywhere version 3.0.0. Users of affected versions are strongly advised to update to this version or later to mitigate the risk (WPScan).