WordPress has released version 6.4.2 that contains a patch for a critical severity vulnerability that could allow attackers to execute PHP code on the site and potentially lead to a full site takeover.
The vulnerability was traced back to a feature introduced in WordPress 6.4 that was meant to improve HTML parsing in the block editor.
The issue is not present in earlier versions of WordPress and it only affects versions 6.4 and 6.4.1.
An official WordPress announcement describes the vulnerability:
“A Remote Code Execution vulnerability that is not directly exploitable in core, however the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs.”
According to an advisory published by Wordfence:
“Since an attacker able to exploit an Object Injection vulnerability would have full control over the on_destroy and bookmark_name properties, they can use this to execute arbitrary code on the site to easily gain full control.
While WordPress Core currently does not have any known object injection vulnerabilities, they are rampant in other plugins and themes. The presence of an easy-to-exploit POP chain in WordPress core substantially increases the danger level of any Object Injection vulnerability.”
Object Injection Vulnerability
Wordfence advises that Object Injection vulnerabilities are not easy to exploit. Nonetheless they are recommending that users of WordPress update the latest versions.
WordPress itself advises that users update their sites immediately.
Read the official WordPress announcement:
WordPress 6.4.2 Maintenance & Security Release
Read the Wordfence advisory:
PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2
Featured Image by Shutterstock/Nikulina Tatiana