WordPress has released version 6.4.2 that contains a patch for a critical severity vulnerability that could allow attackers to execute PHP code on the site and potentially lead to a full site takeover.
Their own security team stated the following vulnerability in this release.
Version 6.4 was vulnerable to a Property Oriented Programming (POP) chain flaw that could be used for arbitrary PHP code execution, albeit under specific circumstances. Those circumstances require the target website to carry a PHP object injection flaw, which could be introduced with a vulnerable plug-in, or an add-on. Together, the flaws become critical in severity.
Sources:
wordpress.org
www.searchenginejournal.com
xakep.ru
Technical analysis: https://www.wordfence.com/blog/2023...te-code-execution-patched-in-wordpress-6-4-2/
Their own security team stated the following vulnerability in this release.
A Remote Code Execution vulnerability that is not directly exploitable in core, however the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installsVersion 6.4 was vulnerable to a Property Oriented Programming (POP) chain flaw that could be used for arbitrary PHP code execution, albeit under specific circumstances. Those circumstances require the target website to carry a PHP object injection flaw, which could be introduced with a vulnerable plug-in, or an add-on. Together, the flaws become critical in severity.
Sources:
WordPress 6.4.2 Maintenance & Security Release
WordPress 6.4.2 is now available! This minor release features 7 bug fixes in Core. The fixes include a bug fix for an issue causing stylesheet and theme directories to sometimes return incorrect re…
wordpress.org
WordPress Releases Version 6.4.2 For Critical Vulnerability
WordPress security release addresses a critical severity vulnerability and urges users to update immediately
www.searchenginejournal.com
В WordPress исправили уязвимость, угрожающую сайтам удаленным выполнением кода
Разработчики WordPress выпустили патч для исправления RCE-уязвимости в своей CMS. Хотя под управлением WordPress работают около 43% всех сайтов в интернете, эта уязвимость вряд ли подвергнется массовым атакам, так как она затрагивает только новейшие версии WordPress, требует установки...
xakep.ru
https://www.bleepingcomputer[.]com/...s-pop-chain-exposing-websites-to-rce-attacks/