Home SEO News The security version of WordPress 6.4.3 fixes two vulnerabilities

The security version of WordPress 6.4.3 fixes two vulnerabilities

Jan 31, 2024 0 Comments
The security version of WordPress 6.4.3 fixes two vulnerabilities

WordPress announced a security release 6.4.3 in response to two vulnerabilities discovered in WordPress plus 21 bug fixes.

PHP file upload bypass

The first patch is for a PHP file upload bypass vulnerability using the plugin installer. It is a flaw in WordPress that allows an attacker to upload PHP files via the plugin and theme loader. PHP is a programming language used to generate HTML. PHP files can also be used to inject malware into a website.

However, this vulnerability is not as bad as it seems because the attacker needs administrator level permissions to execute this attack.

PHP object injection vulnerability

According to WordPress, the second patch is for a remote code execution POP string vulnerability that could allow an attacker to execute code remotely.

An RCE POP Chains vulnerability usually means that there is a flaw that allows an attacker, usually by manipulating input that the WordPress site deserializes, to execute arbitrary code on the server.

Deserialization is the process where data is converted into a serialized format (like a text string) deserialization is the part when it is converted back to its original form.

Wordfence describes this vulnerability as a PHP object injection vulnerability and does not mention the RCE POP Chains part.

This is how Wordfence works describes the second WordPress vulnerability:

“The second patch addresses the way options are stored, first sanitizing them before checking the option’s data type, arrays and objects are serialized, as well as already serialized data, which is re-serialized .Although this already happens when the options are updated, it was not performed during site installation, initialization, or update.

This is also a low-threat vulnerability, as an attacker would need administrator-level permissions to launch a successful attack.

However, the officer WordPress announcement of security and maintenance release recommends updating your WordPress installation:

“As this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress versions, 4.1 and later.”

Bug fixes in WordPress core

This release also fixes five bugs in WordPress core:

Text not highlighted when editing page in Chrome Dev and Canary Update latest default PHP version used in local Docker environment for older branches wp-login.php: Login messages/errors Deprecated print_emoji_styles produced during embedding of attached pages are only disabled for users who are logged in

In addition to the five fixes above in core, there are 16 additional bug fixes in the block editor.

Read the WWordPress Security and Maintenance Release Announcement

WordPress descriptions of each of the 21 bug fixes

Wordfence’s description of the vulnerabilities:

The WordPress 6.4.3 Security Update: What You Need to Know

Featured image by Shutterstock/Roman Samborskyi

[ad_2]

Source link

You May Also Like

Las Vegas SEO Co Announces Premier SEO Consultancy Services

Las Vegas SEO Co announces first SEO consulting services

Small seo tools plagiarism checker

Get the highest rank with a small online SEO tool

Local Marketing

The importance of local marketing for home service businesses

MAKE AN IMPACT WITH ADVANCED GENERATIVE ENGINE OPTIMIZATION

Google's advice on fixing broken links for SEO

Google’s unconventional tips for fixing broken backlinks

All the SEO Secrets: The CEO's Advice on Becoming an SEO Expert Transforms Businesses 10,000 Readers

All the SEO Secrets: The CEO’s Advice on Becoming an SEO Expert Transforms Businesses 10,000 Readers

About the Author: Ted Simmons

I follow and report the current news trends on Google news.

Leave a Reply

Your email address will not be published. Required fields are marked *