WordPress has announced the release of version 6.4.2, which includes a crucial patch addressing a significant security vulnerability. This flaw can potentially be exploited by malicious actors, particularly when coupled with other existing vulnerabilities, posing a risk of arbitrary PHP code execution on affected sites.
The vulnerability is characterized as a remote code execution issue that is not easily exploitable in its core form. WordPress officials have raised concerns regarding the high severity of its potential impact, especially in multisite configurations when combined with certain plugins. This information was detailed in their official statement regarding the release.
According to research from Wordfence, a cybersecurity firm, the vulnerability arises from the WP_HTML_Token class, which was introduced in version 6.4 to enhance HTML parsing capabilities in the block editor. Should an attacker successfully leverage a PHP object injection vulnerability in any other plugin or theme, they could gain the ability to execute arbitrary code, effectively taking control of the targeted site.
Wordfence warned that if a property-oriented programming (POP) chain exists through an installed plugin or theme, an attacker could delete critical files, access sensitive data, or execute malicious code. This scenario underscores the potential severity of the issue and illustrates how interconnected the vulnerabilities are within the WordPress ecosystem.
Furthermore, Patchstack has released an advisory indicating that an exploitation chain related to this vulnerability was made public on GitHub as of November 17. Their warning emphasizes the importance of users updating their systems to the latest version of WordPress to mitigate potential threats effectively.
For developers, it is advised to replace any function calls to the unserialize function with alternatives such as JSON encoding and decoding using json_encode and json_decode, to bolster security against potential exploitation. Patchstack’s Chief Technology Officer, Dave Jong, has underscored this recommendation as a critical security measure.
The targeted vulnerabilities reside predominantly within WordPress sites, which serve as a platform for millions of users globally. Businesses relying on WordPress for their online presence must prioritize timely updates and implementations of robust security practices. Understanding these vulnerabilities within the context of the MITRE ATT&CK framework highlights potential attack vectors such as initial access and privilege escalation, enabling organizations to better prepare against such threats.
