WordPress has launched model 6.4.2 that incorporates a patch for a crucial severity vulnerability that might permit attackers to execute PHP code on the location and doubtlessly result in a full website takeover.
The vulnerability was traced again to a function launched in WordPress 6.4 that was meant to enhance HTML parsing within the block editor.
The difficulty shouldn’t be current in earlier variations of WordPress and it solely impacts variations 6.4 and 6.4.1.
An official WordPress announcement describes the vulnerability:
“A Distant Code Execution vulnerability that’s not immediately exploitable in core, nonetheless the safety workforce feels that there’s a potential for top severity when mixed with some plugins, particularly in multisite installs.”
Based on an advisory revealed by Wordfence:
“Since an attacker in a position to exploit an Object Injection vulnerability would have full management over the on_destroy and bookmark_name properties, they will use this to execute arbitrary code on the location to simply acquire full management.
Whereas WordPress Core at the moment doesn’t have any recognized object injection vulnerabilities, they’re rampant in different plugins and themes. The presence of an easy-to-exploit POP chain in WordPress core considerably will increase the hazard stage of any Object Injection vulnerability.”
Object Injection Vulnerability
Wordfence advises that Object Injection vulnerabilities usually are not simple to use. Nonetheless they’re recommending that customers of WordPress replace the most recent variations.
WordPress itself advises that customers replace their websites instantly.
Learn the official WordPress announcement:
WordPress 6.4.2 Upkeep & Safety Launch
Learn the Wordfence advisory:
PSA: Important POP Chain Permitting Distant Code Execution Patched in WordPress 6.4.2
Featured Picture by Shutterstock/Nikulina Tatiana