Los Angeles | December 8, 2023 – As per a recent post on Search Engine Journal, a critical security issue has been addressed in the latest WordPress release. Version 6.4.2 comes with a fix for a severe vulnerability that could potentially enable attackers to execute PHP code on websites, posing a risk of complete site takeover.
This vulnerability stems from a feature introduced in WordPress 6.4 aimed at enhancing HTML parsing within the block editor. Notably, it solely affects versions 6.4 and 6.4.1, not the preceding ones.
The official WordPress statement defines the vulnerability as a “Remote Code Execution” flaw. While not directly exploitable within the core, the security team highlights its potential severity, particularly when combined with certain plugins, especially in multisite setups.
Wordfence, in its advisory, explains that exploiting an “Object Injection” vulnerability grants attackers control over specific properties, allowing them to execute arbitrary code and potentially take full control of a site. Although such vulnerabilities aren’t simple to exploit, Wordfence strongly recommends WordPress users update to the latest versions due to the increased risk posed by the existence of an exploitable chain in WordPress core.
While WordPress Core itself doesn’t have identified object injection vulnerabilities, they are prevalent in other plugins and themes. This situation heightens the risk level associated with any Object Injection vulnerability within WordPress.
Both WordPress and Wordfence emphasize the urgency of updating to the latest WordPress release (6.4.2) to mitigate these security concerns. For more information, you can refer to the official WordPress announcement titled “WordPress 6.4.2 Maintenance & Security Release” and the Wordfence advisory labeled “PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2.“