WordPress introduced a safety launch model 6.4.3 as a response to 2 vulnerabilities found in WordPress plus 21 bug fixes.
PHP File Add Bypass
The primary patch is for a PHP File Add Bypass Through Plugin Installer vulnerability. It’s a flaw in WordPress that enables an attacker to add PHP information by way of the plugin and theme uploader. PHP is a scripting language that’s used to generate HTML. PHP information will also be used to inject malware into a web site.
Nonetheless, this vulnerability just isn’t as unhealthy because it sounds as a result of the attacker wants administrator degree permissions as a way to execute this assault.
PHP Object Injection Vulnerability
In keeping with WordPress the second patch is for a Distant Code Execution POP Chains vulnerability which might enable an attacker to remotely execute code.
An RCE POP Chains vulnerability sometimes signifies that there’s a flaw that enables an attacker, sometimes by way of manipulating enter that the WordPress web site deserializes, to execute arbitrary code on the server.
Deserialization is the method the place information is transformed right into a serialized format (like a textual content string) deserialization is the half when it’s transformed again into its unique kind.
Wordfence describes this vulnerability as a PHP Object Injection vulnerability and doesn’t point out the RCE POP Chains half.
That is how Wordfence describes the second WordPress vulnerability:
“The second patch addresses the best way that choices are saved – it first sanitizes them earlier than checking the information sort of the choice – arrays and objects are serialized, in addition to already serialized information, which is serialized once more. Whereas this already occurs when choices are up to date, it was not carried out throughout web site set up, initialization, or improve.”
That is additionally a low menace vulnerability in that an attacker would want administrator degree permissions to launch a profitable assault.
Nonetheless, the official WordPress announcement of the safety and upkeep launch recommends updating the WordPress set up:
“As a result of it is a safety launch, it is suggested that you simply replace your websites instantly. Backports are additionally obtainable for different main WordPress releases, 4.1 and later.”
Bug Fixes In WordPress Core
This launch additionally fixes 5 bugs within the WordPress core:
- Textual content isn’t highlighted when modifying a web page in newest Chrome Dev and Canary
- Replace default PHP model utilized in native Docker Setting for older branches
- wp-login.php: login messages/errors
- Deprecated print_emoji_styles produced throughout embed
- Attachment pages are solely disabled for customers which might be logged in
Along with the above 5 fixes to the Core there are a further 16 bug fixes to the Block Editor.
Learn the official WordPress Safety and Upkeep Launch announcement
WordPress descriptions of every of the 21 bug fixes
The Wordfence description of the vulnerabilities:
The WordPress 6.4.3 Safety Replace – What You Have to Know
Featured Picture by Shutterstock/Roman Samborskyi