WordPress released version 6.4.2 with a patch for a critical security flaw that threat actors could exploit by combining it with another bug to execute arbitrary PHP code on vulnerable sites.
“A remote code execution vulnerability that cannot be directly exploited in the core; however, the security team feels that there is a potential for high severity when combined with certain plugins, especially in multisite installations,” WordPress SAYS.
According to WordPress security company Wordfence, the ISSUES rooted in the WP_HTML_Token class introduced in version 6.4 to improve HTML parsing in the block editor.
A threat actor capable of exploiting a PHP object injection vulnerability present in any other plugin or theme to chain two issues together to execute arbitrary code and gain control of the targeted site.
“If the POP (property-oriented programming) chain is through an additional plugin or theme installed on the target system, it may allow an attacker to delete arbitrary files, obtain sensitive data, or execute code,” Wordfence THE audience before September 2023.
In the same advisory issued by Patchstack, the company said that an exploit chain made available on GitHub on November 17 and added to PHP Generic Gadget Chains (PHPGGC) project. It is recommended that users manually check their sites to ensure they are updated to the latest version.
“If you are a developer and any of your projects have function calls to the unserialize function, we recommend that you replace them with something else, such as JSON encoding/decoding using the json_encode and json_decode PHP functions,” Patchstack CTO Dave Jong SAYS.