WordPress has produced model 6.4.2 with a patch for a critical security flaw that could be exploited by threat actors by combining it with a further bug to execute arbitrary PHP code on vulnerable sites.
“A distant code execution vulnerability that is not immediately exploitable in main nonetheless, the security group feels that there is a probable for superior severity when combined with some plugins, specifically in multisite installations,” WordPress mentioned.
According to WordPress security corporation Wordfence, the issue is rooted in the WP_HTML_Token course that was introduced in variation 6.4 to enhance HTML parsing in the block editor.
A risk actor with the potential to exploit a PHP object injection vulnerability existing in any other plugin or theme to chain the two issues to execute arbitrary code and seize control of the specific web page.
“If a POP [property-oriented programming] chain is existing via an extra plugin or theme installed on the concentrate on technique, it could allow for the attacker to delete arbitrary files, retrieve delicate facts, or execute code,” Wordfence observed previously in September 2023.
In a comparable advisory launched by Patchstack, the organization said an exploitation chain has been manufactured out there on GitHub as of November 17 and additional to the PHP Generic Gadget Chains (PHPGGC) task. It really is suggested that users manually look at their web pages to guarantee that it can be up-to-date to the most current edition.
“If you are a developer and any of your tasks comprise functionality calls to the unserialize functionality, we highly endorse you swap this with anything else, such as JSON encoding/decoding using the json_encode and json_decode PHP capabilities,” Patchstack CTO Dave Jong stated.
Identified this report exciting? Follow us on Twitter and LinkedIn to go through additional exclusive content we write-up.
Some parts of this post are sourced from: