WordPress has launched security release version 6.4.3 to address two vulnerabilities and fix 21 bugs.
PHP File Upload Bypass
The first patch targets a vulnerability related to the PHP File Upload Bypass via the Plugin Installer. This flaw permits attackers to upload PHP files using the plugin and theme uploader. PHP, a scripting language used to create HTML, can also be exploited to inject malware into a website. However, this vulnerability is less alarming since it requires administrator-level permissions to be executed.
PHP Object Injection Vulnerability
The second patch fixes a Remote Code Execution (RCE) Pop Chains vulnerability, potentially allowing attackers to execute code remotely. This type of vulnerability usually involves manipulating input that the WordPress site deserializes, enabling arbitrary code execution on the server. Deserialization converts data into a serialized format and then back into its original form.
Wordfence describes this issue as a PHP Object Injection vulnerability, without mentioning the RCE Pop Chains component. According to Wordfence, the patch updates the way options are stored by sanitizing them before checking their data type, ensuring arrays and objects are serialized appropriately. This process was missing during site installation, initialization, or upgrade, though it already occurs when options are updated. Like the first vulnerability, this one also requires administrator-level permissions for a successful attack.
Despite the low threat level, the official WordPress announcement strongly recommends immediately updating all WordPress installations:
"Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later."
Bug Fixes In WordPress Core
This release also addresses five core bugs in WordPress:
- Text not being highlighted when editing a page in the latest versions of Chrome Dev and Canary
- Update of the default PHP version used in the local Docker Environment for older branches
- Issues with login messages/errors on wp-login.php
- Deprecated
print_emoji_styles
commands appearing during embed - Attachment pages being disabled only for logged-in users
Additionally, there are 16 more bug fixes in the Block Editor, bringing the total to 21 bug fixes in this release.
For detailed descriptions of each of the 21 bug fixes, refer to the official WordPress announcements. Wordfence also provides a detailed breakdown of the vulnerabilities and the importance of the WordPress 6.4.3 Security Update.
Featured Image by Shutterstock/Roman Samborskyi