[wpv-post-title] Tapptic – Blog | WordPress 6.4.2 Security Patch [/wpv-post-title]
WordPress 6.4.2 has been rolled out, addressing a critical security loophole that, if combined with another bug, could allow threat actors to execute arbitrary PHP code on vulnerable sites.
While not directly exploitable in the core, the security team believes this vulnerability could pose a severe threat, especially when paired with certain plugins, particularly in multisite setups, according to WordPress.
The vulnerability stems from the WP_HTML_Token class introduced in version 6.4 to enhance HTML parsing in the block editor, as identified by WordPress security company Wordfence.
Exploiting a PHP object injection vulnerability in any plugin or theme, threat actors can chain these issues to execute arbitrary code, potentially seizing control of the targeted site, as per Wordfence’s assessment from September 2023.
Patchstack, in a similar advisory, highlighted that an exploitation chain has been made accessible on GitHub as of November 17 and included in the PHP Generic Gadget Chains (PHPGGC) project. They recommend users manually verify that their sites are updated to the latest version.
Patchstack’s CTO, Dave Jong, advised developers to consider replacing function calls to the unserialize function with alternative methods like JSON encoding/decoding using the json_encode and json_decode PHP functions to mitigate potential risks.