WordPress released version 6.4.2, specifically addressing a critical vulnerability in a proactive step to enhance digital security. This flaw, if exploited, could allow attackers to execute PHP code on the site, potentially leading to complete control over the affected websites.
The root of this issue traces back to a feature in WordPress 6.4, which was developed to improve HTML parsing within the block editor. Notably, this vulnerability is unique to versions 6.4 and 6.4.1, leaving earlier versions unaffected.
An official statement from WordPress highlights the gravity of the situation:
“A Remote Code Execution vulnerability that is not directly exploitable in core, however the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs.”
Further insights from Wordfence, a renowned security firm, shed light on the potential risks:
“Since an attacker able to exploit an Object Injection vulnerability would have full control over the on_destroy and bookmark_name properties, they can use this to execute arbitrary code on the site to gain full control easily.
While WordPress Core currently does not have any known object injection vulnerabilities, they are rampant in other plugins and themes. The presence of an easy-to-exploit POP chain in WordPress core substantially increases the danger level of any Object Injection vulnerability.”
Importance of timely updates for enhanced protection
Despite Object Injection vulnerabilities being challenging to exploit, Wordfence emphasises the importance of updating WordPress to the latest version. WordPress itself underscores the urgency of these updates for improved site protection.
For more detailed information, refer to the official WordPress announcement: WordPress 6.4.2 Maintenance & Security Release.
Additionally, the Wordfence advisory provides further details: PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2.
