With more than 30,000 downloads, the PHP Everywhere plugin is an open-source plugin designed to enable PHP code everywhere in the WordPress installation.
The latest PHP Everywhere iteration was released last month with patches for three critical vulnerabilities (CVSS score of 9.9) that could allow users with low privileges to execute code on the WordPress sites that use the plugin.
The most severe of these issues is CVE-2022-24663, a vulnerability that allows any authenticated user, including subscribers and customers, to “execute shortcodes via the parse-media-shortcode AJAX action,” Wordfence explains.