WordPress has rolled out the latest release, version 6.4.2, addressing a critical remote code execution vulnerability. This flaw, when coupled with another, empowers hackers to execute arbitrary PHP code on WordPress sites. Given WordPress powers nearly half the internet, the potential impact is substantial.
The security team of the website builder identified a Property Oriented Programming (POP) chain flaw in version 6.4. This flaw enables arbitrary PHP code execution under specific conditions. These conditions necessitate the presence of a PHP object injection flaw on the target website, typically introduced through a vulnerable plugin or add-on. The combination of these flaws elevates the severity level.
WordPress clarified that the Remote Code Execution vulnerability is not directly exploitable in the core. However, the security team highlights a potential for high severity, particularly in multisite installations and when combined with certain plugins.
WordPress Vulnerability and Exploit Exposure
A vulnerability in the WordPress core has emerged, a rarity in itself. For technical details, Wordfence’s analysis provides comprehensive insights.
According to BleepingComputer, a Patchstack notification disclosed that an exploit chain surfaced on GitHub weeks ago, later incorporated into the PHPGGC library.
WordPress, powering a staggering 800 million sites, remains a prime target for hackers. Despite its robust core, vulnerabilities are often discovered in plugins, add-ons, and themes, especially those freely available.
Created by enthusiasts, these free tools sometimes get abandoned, leaving security holes unattended for extended periods. This delay in patching exposes users to threats, enabling data theft, malicious redirects, unwanted ads, and more.
