WordPress Releases Update 6.4.2 to Address Critical Remote Attack Vulnerability

WordPress

WordPress has released version 6.4.2 with a patch for a critical security flaw that could be exploited by threat actors by combining it with another bug to execute arbitrary PHP code on vulnerable sites.

“A remote code execution vulnerability that is not directly exploitable in core; however, the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installations,” WordPress said.

According to WordPress security company Wordfence, the issue is rooted in the WP_HTML_Token class that was introduced in version 6.4 to improve HTML parsing in the block editor.

A threat actor with the ability to exploit a PHP object injection vulnerability present in any other plugin or theme to chain the two issues to execute arbitrary code and seize control of the targeted site.

“If a POP [property-oriented programming] chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code,” Wordfence noted previously in September 2023.

WordPress

In a similar advisory released by Patchstack, the company said an exploitation chain has been made available on GitHub as of November 17 and added to the PHP Generic Gadget Chains (PHPGGC) project. It’s recommended that users manually check their sites to ensure that it’s updated to the latest version.

“If you are a developer and any of your projects contain function calls to the unserialize function, we highly recommend you swap this with something else, such as JSON encoding/decoding using the json_encode and json_decode PHP functions,” Patchstack CTO Dave Jong said.



Original Source


A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

To keep up to date follow us on the below channels.