WordPress released version 6.4.3 on January 30, 2024, containing two security patches addressing longstanding, yet minor, security concerns in the WordPress Core. The first patch resolves the issue of allowing users with Administrator or Super Administrator privileges to upload PHP files directly to a site via the Plugin and Theme file upload mechanism, which only poses a concern in heavily locked-down configurations. This issue has been previously tracked by Wordfence as a low-priority informational security alert since August 2023. The second patch addresses the way options are stored and sanitizes them before checking the data type of the option, in order to address a potential PHP Object Injection issue. Both of these issues are likely to only impact a few WordPress sites in the real world and have been backported to version 4.1 and later of WordPress.
In conclusion, the security patches in WordPress 6.4.3 primarily serve as increased hardening, as the circumstances in which they are likely to have a security impact are incredibly rare. Nonetheless, it is recommended to update to this version within a reasonable time frame, especially for sites that rely on a hardened configuration due to regulatory requirements.
Read Full Article