WordPress Releases Version 6.4.2 For Critical Vulnerability


WordPress has released version 6.4.2 that contains a patch for a critical severity vulnerability that could allow attackers to execute PHP code on the site and potentially lead to a full site takeover.

The vulnerability was traced back to a feature introduced in WordPress 6.4 that was meant to improve HTML parsing in the block editor.

The issue is not present in earlier versions of WordPress and it only affects versions 6.4 and 6.4.1.

An official WordPress announcement describes the vulnerability:

“A Remote Code Execution vulnerability that is not directly exploitable in core, however the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs.”

According to an advisory published by Wordfence:

“Since an attacker able to exploit an Object Injection vulnerability would have full control over the on_destroy and bookmark_name properties, they can use this to execute arbitrary code on the site to easily gain full control.

While WordPress Core currently does not have any known object injection vulnerabilities, they are rampant in other plugins and themes. The presence of an easy-to-exploit POP chain in WordPress core substantially increases the danger level of any Object Injection vulnerability.”

Object Injection Vulnerability

Wordfence advises that Object Injection vulnerabilities are not easy to exploit. Nonetheless they are recommending that users of WordPress update the latest versions.

WordPress itself advises that users update their sites immediately.

Read the official WordPress announcement:

WordPress 6.4.2 Maintenance & Security Release

Read the Wordfence advisory:

PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2

Featured Image by Shutterstock/Nikulina Tatiana



Source link

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

We Know You Better!
Subscribe To Our Newsletter
Be the first to get latest updates and
exclusive content straight to your email inbox.
Yes, I want to receive updates
No Thanks!
close-link

Subscribe to our newsletter

Sign-up to get the latest marketing tips straight to your inbox.
SUBSCRIBE!
Give it a try, you can unsubscribe anytime.