A critical Remote Code Execution (RCE) vulnerability has been identified in the PHP Everywhere plugin. This vulnerability could allow an attacker to execute arbitrary code on the target website, which could lead to full compromise of the site.

The security flaw was discovered and responsibly reported by Ramuel Gall, underscoring the significance of collaborative efforts in maintaining a secure WordPress environment.


This RCE vulnerability has been assigned a CVSS 3.1 score of 9.9, indicating its critical severity.

Affected Versions:

The vulnerability affects PHP Everywhere versions up to and including version 2.0.3.


Exploiting this critical vulnerability could have devastating consequences for the website’s security, as attackers could:

  • Execute arbitrary code on the target website, potentially enabling them to carry out malicious activities.
  • Gain backdoor access to the website, allowing unauthorized access and potential data theft.
  • Take full control of the website, compromising its functionality and integrity.


To secure the website, follow these essential steps:

  1. Update to Version 3.0.0:For all active and affected versions of the PHP Everywhere plugin, update to the latest version (3.0.0) without delay. This update includes vital fixes to address the RCE vulnerability.
  2. Patch the Vulnerability: With version 3.0.0, the vulnerability has been patched, ensuring enhanced security for the website.