WordPress has swiftly rolled out version 6.4.2, addressing a critical vulnerability that permits 

attackers to execute PHP code on a site, posing a severe risk of an entire site takeover.

The root of this vulnerability traces back to a feature introduced in WordPress 6.4, intended to enhance HTML parsing within the block editor.

Notably, earlier versions of WordPress remain unaffected, with the vulnerability exclusively impacting versions 6.4 and 6.4.1.

Official statements from WordPress detail the nature of the vulnerability:

"Although a Remote Code Execution vulnerability isn't directly exploitable in the core, the security team recognizes the potential for high severity when coupled with certain plugins, particularly in multisite installations."

Word Fence's advisory sheds further light:

"Given that an attacker exploiting an Object Injection flaw gains control over properties like on_destroy and bookmark_name, they can execute arbitrary code on the site, quickly gaining complete control.

While WordPress Core doesn't currently exhibit object injection vulnerabilities, they're prevalent in numerous plugins and themes. An exploitable POP chain in WordPress core significantly amplifies the risk associated with any Object Injection vulnerability."

Object Injection Vulnerability

Wordfence emphasizes that while Object Injection vulnerabilities pose a challenge to exploit, they strongly recommend users update to the latest WordPress versions.

WordPress itself underscores the urgency of site updates.

For the full details, refer to the official WordPress announcement: WordPress 6.4.2 Maintenance & Security Release"

Learn more about our services related to website development.