WordPress has launched model 6.4.2 with a patch for a essential safety flaw that might be exploited by risk actors by combining it with one other bug to execute arbitrary PHP code on susceptible websites.
“A distant code execution vulnerability that isn’t instantly exploitable in core; nevertheless, the safety workforce feels that there’s a potential for top severity when mixed with some plugins, particularly in multisite installations,” WordPress stated.
In line with WordPress safety firm Wordfence, the subject is rooted within the WP_HTML_Token class that was launched in model 6.4 to enhance HTML parsing within the block editor.
A risk actor with the flexibility to take advantage of a PHP object injection vulnerability current in some other plugin or theme to chain the 2 points to execute arbitrary code and seize management of the focused web site.
“If a POP [property-oriented programming] chain is current by way of a further plugin or theme put in on the goal system, it may enable the attacker to delete arbitrary information, retrieve delicate knowledge, or execute code,” Wordfence famous beforehand in September 2023.
In an identical advisory launched by Patchstack, the corporate stated an exploitation chain has been made out there on GitHub as of November 17 and added to the PHP Generic Gadget Chains (PHPGGC) mission. It is advisable that customers manually examine their websites to make sure that it is up to date to the newest model.
“If you’re a developer and any of your tasks include perform calls to the unserialize perform, we extremely advocate you swap this with one thing else, resembling JSON encoding/decoding utilizing the json_encode and json_decode PHP features,” Patchstack CTO Dave Jong stated.