December 8, 2023 at 04:48AM
WordPress version 6.4.2 patches a critical security flaw potentially exploitable with plugins, particularly in multisite setups. The vulnerability stems from the WP_HTML_Token class and can lead to arbitrary PHP code execution when chained with other bugs. Patchstack advises developers to replace ‘unserialize’ function calls to prevent attacks.
Takeaways from the Meeting Notes on December 8, 2023:
1. WordPress has addressed a critical security defect with the release of version 6.4.2. This defect, when combined with another vulnerability, could potentially allow unauthorized users to execute arbitrary PHP code on affected websites.
2. The vulnerability in question pertains to the WP_HTML_Token class that was included in WordPress version 6.4, which seeks to enhance HTML parsing within the block editor. However, this has introduced a remote code execution vulnerability.
3. While the core itself is not directly exploitable, the synergy of this vulnerability alongside certain plugins—particularly in multisite installations—raises the severity level of the threat.
4. The security firm Wordfence has identified that the vulnerability can be exploited via PHP object injection present in other plug-ins or themes, allowing attackers to delete files, access sensitive information, or run code if a property-oriented programming (POP) chain is in place.
5. Patchstack has released an advisory stating that an exploitation chain, which can utilize this vulnerability, has been published on GitHub since November 17 and is part of the PHP Generic Gadget Chains (PHPGGC) project.
6. Users are advised to manually inspect their WordPress installations to ensure that they have been updated to the most current version to protect against this security issue.
7. Developers with projects that use the unserialize function within their code should consider replacing it with safer alternatives, such as json_encode and json_decode PHP functions, according to Patchstack’s CTO Dave Jong.
8. The article encourages following the source on Twitter and LinkedIn for further related content.
Action Steps:
– Update WordPress sites to version 6.4.2 immediately.
– Review additional plugins and themes for potential vulnerabilities, especially on multisite installations.
– Replace unserialize function calls with safer methods in code.
– Follow the security advisories for any further updates or recommended actions.
– Monitor social media outlets mentioned for ongoing information.