CVE-2022-24665: 
WordPress vulnerability analysis and mitigation

PHP Everywhere versions 2.0.3 and below contained a critical vulnerability (CVE-2022-24665) that allowed users with post editing privileges to execute arbitrary PHP code snippets through the WordPress Gutenberg block functionality. The vulnerability was discovered and disclosed in February 2022 (Wordfence).

The vulnerability is classified as a Code Injection vulnerability (CWE-94) with a CVSS v3.1 base score of 8.8 (High) according to NVD, while Wordfence assessed it at 9.9 (Critical). The vulnerability vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, low privileges required, no user interaction needed, and high impact on confidentiality, integrity, and availability (NVD).

The vulnerability allows any user with post editing capabilities (as low as Contributor role) to execute arbitrary PHP code on the affected WordPress installation. This could lead to complete site compromise, including unauthorized access to sensitive data, modification of website content, and potential server takeover (WPScan).

The vulnerability was patched in PHP Everywhere version 3.0.0. Site administrators running vulnerable versions should immediately upgrade to version 3.0.0 or later to protect against potential exploitation (WPScan).

The vulnerability received significant attention from the security community, particularly after U.S. government agencies released a bulletin in July 2024 highlighting its potential abuse by state-sponsored actors (AttackerKB).