According to the WordFence Threat Intelligence team, the three vulnerabilities in PHP Everywhere all lead to remote code execution in versions of the software below 2.0.3.

A critical severity vulnerability in a WordPress plugin with more than 90,000 installs can let attackers gain remote code execution to fully compromise vulnerable websites.

WordPress has released version 6.4.2 that addresses a remote code execution (RCE) vulnerability that could be chained with another flaw to allow attackers run arbitrary PHP code on the target website.

The researchers at Secarma who uncovered the exploit said it enables bad actors to potentially open up thousands of WordPress sites (and other web applications) to remote code-execution.