The RCE bugs impact PHP Everywhere, a utility for web developers to be able to use PHP code in pages, posts, the sidebar, or anywhere with a Gutenberg block – editor blocks in WordPress – on ...

Tens of thousands of WordPress sites are at risk from critical vulnerabilities in a widely used plug-in that facilitates the use of PHP code on a site.

Researchers found three critical remote code execution (RCE) vulnerabilities in the PHP Everywhere plugin for WordPress, used by over 30,000 websites worldwide.

Attackers are using Eval PHP, an outdated legitimate WordPress plugin, to compromise websites by injecting stealthy backdoors.

Thanks to WordPress’s action hook system however, enabling it is not difficult. To enable this functionality, you only need to add a new filter hook into your themes functions.php file.