WordPress announced a security release version 6.4.3 as a response to two vulnerabilities discovered in WordPress plus 21 bug fixes.
PHP File Upload Bypass
The first patch is for a PHP File Upload Bypass Via Plugin Installer vulnerability. It’s a flaw in WordPress that allows an attacker to upload PHP files via the plugin and theme uploader. PHP is a scripting language that is used to generate HTML. PHP files can also be used to inject malware into a website.
However, this vulnerability is not as bad as it sounds because the attacker needs administrator level permissions in order to execute this attack.
PHP Object Injection Vulnerability
According to WordPress the second patch is for a Remote Code Execution POP Chains vulnerability which could allow an attacker to remotely execute code.
An RCE POP Chains vulnerability typically means that there’s a flaw that allows an attacker, typically through manipulating input that the WordPress site deserializes, to execute arbitrary code on the server.
Deserialization is the process where data is converted into a serialized format (like a text string) deserialization is the part when it’s converted back into its original form.
Wordfence describes this vulnerability as a PHP Object Injection vulnerability and doesn’t mention the RCE POP Chains part.
This is how Wordfence describes the second WordPress vulnerability:
“The second patch addresses the way that options are stored – it first sanitizes them before checking the data type of the option – arrays and objects are serialized, as well as already serialized data, which is serialized again. While this already happens when options are updated, it was not performed during site installation, initialization, or upgrade.”
This is also a low threat vulnerability in that an attacker would need administrator level permissions to launch a successful attack.
Nevertheless, the official WordPress announcement of the security and maintenance release recommends updating the WordPress installation:
“Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later.”
Bug Fixes In WordPress Core
This release also fixes five bugs in the WordPress core:
- Text isn’t highlighted when editing a page in latest Chrome Dev and Canary
- Update default PHP version used in local Docker Environment for older branches
- wp-login.php: login messages/errors
- Deprecated print_emoji_styles produced during embed
- Attachment pages are only disabled for users that are logged in
In addition to the above five fixes to the Core there are an additional 16 bug fixes to the Block Editor.
Read the official WordPress Security and Maintenance Release announcement
WordPress descriptions of each of the 21 bug fixes
The Wordfence description of the vulnerabilities:
The WordPress 6.4.3 Security Update – What You Need to Know
Featured Image by Shutterstock/Roman Samborskyi