WordPress has launched model 6.4.2 with a patch for a crucial safety flaw that might be exploited by menace actors by combining it with one other bug to execute arbitrary PHP code on weak websites.
“A distant code execution vulnerability that isn’t immediately exploitable in core; nonetheless, the safety crew feels that there’s a potential for prime severity when mixed with some plugins, particularly in multisite installations,” WordPress mentioned.
In line with WordPress safety firm Wordfence, the concern is rooted within the WP_HTML_Token class that was launched in model 6.4 to enhance HTML parsing within the block editor.
A menace actor with the power to use a PHP object injection vulnerability current in some other plugin or theme to chain the 2 points to execute arbitrary code and seize management of the focused website.
“If a POP [property-oriented programming] chain is current through an extra plugin or theme put in on the goal system, it may enable the attacker to delete arbitrary recordsdata, retrieve delicate knowledge, or execute code,” Wordfence famous beforehand in September 2023.
In an analogous advisory launched by Patchstack, the corporate mentioned an exploitation chain has been made accessible on GitHub as of November 17 and added to the PHP Generic Gadget Chains (PHPGGC) mission. It is really helpful that customers manually test their websites to make sure that it is up to date to the most recent model.
“If you’re a developer and any of your tasks include perform calls to the unserialize perform, we extremely suggest you swap this with one thing else, akin to JSON encoding/decoding utilizing the json_encode and json_decode PHP capabilities,” Patchstack CTO Dave Jong mentioned.
