Tens of thousands of WordPress sites are at risk of serious damage to a widely used plug-in plugin that helps use PHP code on the site.
One of the bugs allows any authorized user of any level – even subscribers and customers – to issue code that could completely replace a site with a plugin installed, researchers found.
Three threats are caused by default plug-in settings that have been fixed by the plug-in developer after Wordfence notified him of a responsible disclosure process.
Researchers from Wordfence Threat Intelligence have found three dangers in PHP Everywhere, a plug-in installed on more than 30,000 WordPress sites, as revealed in a blog post published Tuesday. The plug-in does exactly what its name suggests, allowing WordPress site developers to place PHP code in various parts of the site, including pages, posts and side bars.
Read More: https://threatpost.com/php-everywhere-bugs-wordpress-rce/178338/
