December 7, 2023 at 03:17PM
WordPress version 6.4.2 fixes a critical RCE vulnerability, exploitable via a flaw in plugins or themes. Although the core issue isn’t critical alone, it can lead to arbitrary PHP code execution when combined with other vulnerabilities, particularly on multisite installations. Users are advised to manually verify their WordPress update.
Meeting Takeaway Summary:
1. **WordPress Version Update**: WordPress has released an update to its software, version 6.4.2, which addresses a significant security vulnerability.
2. **Vulnerability Details**:
– An RCE (Remote Code Execution) vulnerability has been found, which may lead to attackers running arbitrary PHP code on affected sites.
– Vulnerability specifically links to a Property Oriented Programming (POP) chain introduced in WordPress 6.4 core.
– The POP chain vulnerability involves manipulation of object properties via PHP’s unserialize() function, potentially allowing attackers to control application flow.
3. **Conditions for Exploitation**:
– The vulnerability alone is not directly exploitable but requires a coexisting PHP object injection flaw, likely in a plugin or theme, to reach high severity levels.
– Particular concern lies with multisite installations.
4. **Technical Insights**:
– Security experts from Wordfence have provided more information on the WP_HTML_Token class. This class could allow arbitrary code execution through its ‘__destruct’ method and associated ‘on_destroy’ property.
– The flaw’s critical nature is amplified when coupled with existing object injection opportunities in plugins or themes.
5. **Industry Response**:
– Security professionals from Patchstack have noted that there’s already an exploit chain linked to this vulnerability that was posted on GitHub and included in the PHPGGC library.
6. **Update Recommendations**:
– Despite automatic updates for most installations, administrators are strongly advised to manually confirm whether the latest update (6.4.2) has been successfully applied to mitigate the risk associated with this vulnerability.
All parties concerned with WordPress site security should prioritize this information for immediate action to safeguard their websites.