A critical severity vulnerability in WordPress has been fixed, and users are urged to update right away.
WordPress has patched a critical severity vulnerability in version 6.4.2 that could enable attackers to run PHP code on the website and possibly take over the entire thing.
The vulnerability was linked to a feature that was added to WordPress 6.4 with the intention of enhancing block editor HTML parsing.
WordPress versions 6.4 and 6.4.1 are the only ones affected by the problem; earlier versions do not have it.
An official announcement from WordPress details the vulnerability:
“A Remote Code Execution vulnerability that is not directly exploitable in core; however, the security team believes that when combined with certain plugins, particularly in multisite installs, there is a potential for high severity.”
As per the recommendation released by Wordfence:
An attacker can easily take over a website by executing arbitrary code because they would have complete control over the on_destroy and bookmark_name properties if they were able to exploit an Object Injection vulnerability.
Although there aren’t any known object injection vulnerabilities in WordPress Core right now, there are plenty in other plugins and themes. The danger level of any Object Injection vulnerability is significantly increased by the easy-to-exploit POP chain present in the core of WordPress.
Object Injection Security Flaw
Object Injection vulnerabilities are difficult to exploit, according to Wordfence’s advice. However, they advise WordPress users to update to the most recent versions.
It is recommended by WordPress itself that users update their websites right away.
Go through the official WordPress statement here:
