WordPress has released version 6.4.2, which includes a patch for a critical vulnerability that could allow attackers to execute PHP code on the site and potentially take over the entire site.
The vulnerability originated from a feature introduced in WordPress 6.4 that aimed to improve HTML parsing in the block editor.
This issue does not affect earlier versions of WordPress and is limited to versions 6.4 and 6.4.1.
An official WordPress announcement describes the vulnerability:
“A Remote Code Execution vulnerability that is not directly exploitable in core; however, the security team believes there is a potential for high severity when combined with some plugins, especially in multisite installs.”
According to an advisory published by Wordfence:
“Since an attacker able to exploit an Object Injection vulnerability would have full control over the on_destroy and bookmark_name properties, they can use this to execute arbitrary code on the site and easily gain full control.”
“While WordPress Core currently does not have any known object injection vulnerabilities, they are rampant in other plugins and themes. The presence of an easy-to-exploit POP chain in WordPress core substantially increases the danger level of any Object Injection vulnerability.”
Wordfence advises that Object Injection vulnerabilities are challenging to exploit. Nonetheless, they recommend that WordPress users update to the latest versions. WordPress itself also advises users to update their sites immediately.
Featured Image by Shutterstock/Nikulina Tatiana
