WordPress has released version 6.4.2 that contains a patch for a critical vulnerability that could allow attackers to execute PHP code on the site and potentially lead to a full site takeover.
The vulnerability was traced to a feature introduced in WordPress 6.4 that was intended to improve HTML parsing in the blog editor.
The issue is not present in older versions of WordPress and only affects versions 6.4 and 6.4.1.
An official WordPress announcement describes the vulnerability:
“A remote code execution vulnerability that cannot be exploited directly in the kernel, but the security team believes there is a potential for high severity when combined with some plugins, especially in multisite installations.”
According to an advisory published by Wordfence:
“Because an attacker capable of exploiting an object injection vulnerability would have full control over the on_destroy and bookmark_name properties, they can use this to execute arbitrary code on the site to easily gain full control.
While WordPress Core currently has no known object injection vulnerabilities, they are rampant in other plugins and themes. The presence of an exploitable POP string in the WordPress core substantially increases the danger level of any object injection vulnerability.”
Object injection vulnerability
Wordfence advises that object injection vulnerabilities are not easy to exploit. However, they recommend that WordPress users update to the latest versions.
WordPress itself advises users to update their sites immediately.
Read the official WordPress announcement:
WordPress Maintenance and Security Version 6.4.2
Read the Wordfence notice:
PSA: Critical POP string enabling remote code execution patched in WordPress 6.4.2
Featured image by Shutterstock/Nikulina Tatiana
[ad_2]
Source link
