WordPress has recently released version 6.4.2, which includes a patch for a critical severity vulnerability that could potentially lead to a full site takeover. The vulnerability was found in a feature introduced in WordPress 6.4 that was meant to improve HTML parsing in the block editor. It only affects versions 6.4 and 6.4.1 and is not present in earlier versions of WordPress.
The official WordPress announcement describes the vulnerability as a Remote Code Execution vulnerability, which is not directly exploitable in core, but has the potential for high severity when combined with certain plugins, especially in multisite installs. An advisory published by Wordfence explains that an attacker who is able to exploit an Object Injection vulnerability would have full control over certain properties, allowing them to execute arbitrary code on the site and gain full control. While WordPress Core does not have any known object injection vulnerabilities, they are prevalent in other plugins and themes, making the presence of an easily exploitable POP chain in WordPress core significantly increase the danger level of any Object Injection vulnerability.
Wordfence advises that Object Injection vulnerabilities are not easy to exploit but still recommends that users of WordPress update to the latest versions. WordPress itself urges users to update their sites immediately to address the vulnerability.
For more information, users can read the official WordPress announcement titled “WordPress 6.4.2 Maintenance & Security Release” and the Wordfence advisory titled “PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2.”
Read Full Article