WordPress has launched model 6.4.2 with a patch for a crucial safety flaw that might be exploited by menace actors by combining it with one other bug to execute arbitrary PHP code on susceptible websites.
“A distant code execution vulnerability that isn’t instantly exploitable in core; nevertheless, the safety group feels that there’s a potential for top severity when mixed with some plugins, particularly in multisite installations,” WordPress stated.
In keeping with WordPress safety firm Wordfence, the subject is rooted within the WP_HTML_Token class that was launched in model 6.4 to enhance HTML parsing within the block editor.
A menace actor with the power to take advantage of a PHP object injection vulnerability current in another plugin or theme to chain the 2 points to execute arbitrary code and seize management of the focused web site.
“If a POP [property-oriented programming] chain is current by way of an extra plugin or theme put in on the goal system, it may enable the attacker to delete arbitrary recordsdata, retrieve delicate information, or execute code,” Wordfence famous beforehand in September 2023.
In an analogous advisory launched by Patchstack, the corporate stated an exploitation chain has been made obtainable on GitHub as of November 17 and added to the PHP Generic Gadget Chains (PHPGGC) challenge. It is really useful that customers manually examine their websites to make sure that it is up to date to the most recent model.
“In case you are a developer and any of your tasks comprise perform calls to the unserialize perform, we extremely advocate you swap this with one thing else, equivalent to JSON encoding/decoding utilizing the json_encode and json_decode PHP capabilities,” Patchstack CTO Dave Jong stated.
