WordPress has launched model 6.4.2 with a patch for a vital security flaw that may very well be exploited by menace actors by combining it with one other bug to execute arbitrary PHP code on susceptible websites.
“A distant code execution vulnerability that isn’t immediately exploitable in core; nevertheless, the security crew feels that there’s a potential for top severity when mixed with some plugins, particularly in multisite installations,” WordPress stated.
Based on WordPress security firm Wordfence, the problem is rooted within the WP_HTML_Token class that was launched in model 6.4 to enhance HTML parsing within the block editor.
A menace actor with the power to take advantage of a PHP object injection vulnerability current in another plugin or theme to chain the 2 points to execute arbitrary code and seize management of the focused web site.
“If a POP [property-oriented programming] chain is current through a further plugin or theme put in on the goal system, it might permit the attacker to delete arbitrary information, retrieve delicate information, or execute code,” Wordfence famous beforehand in September 2023.
In the same advisory launched by Patchstack, the corporate stated an exploitation chain has been made obtainable on GitHub as of November 17 and added to the PHP Generic Gadget Chains (PHPGGC) undertaking. It is really helpful that customers manually test their websites to make sure that it is up to date to the newest model.
“If you’re a developer and any of your initiatives comprise perform calls to the unserialize perform, we extremely suggest you swap this with one thing else, equivalent to JSON encoding/decoding utilizing the json_encode and json_decode PHP capabilities,” Patchstack CTO Dave Jong stated.