Update WordPress now to fix this significant security flaw
WordPress has released a new version – 6.4.2, which fixes a remote code execution vulnerability. Combined with another flaw, hackers can execute arbitrary PHP code on a WordPress website, and since almost half of the Internet is believed to run on WordPress, the attack surface is quite wide.
According to the website builder's security team, version 6.4 was vulnerable to a Property Oriented Programming (POP) chain flaw that could be used to execute arbitrary PHP code, albeit under specific circumstances. These circumstances require that the target website contains a PHP object injection flaw, which can be introduced with a vulnerable plugin or add-on. Together the defects become critical in severity.
“A remote code execution vulnerability that is not directly exploitable at its core; However, the security team believes there is a potential for serious issues in combination with some plugins, especially with multi-location installations,” WordPress said.
Exploitation available
It's not every day that we come across a vulnerability in the WordPress core, but today is one of those days – those interested in the technical details of the flaw should consult Wordfence's technical analysis. here.
BleepingComputer further reported on a Patchstack notice that an exploit chain had already been uploaded to GitHub weeks ago and was later even added to the PHPGGC library.
WordPress is by far the most popular website builder out there, with 800 million sites. Its popularity also means it is constantly under the magnifying glass of hackers, but vulnerabilities are rarely found in WordPress itself. Instead, hackers find it easier to find holes in plugins, add-ons, and themes, especially free-to-use plugins.
These are often built by enthusiasts or people who later abandon or forget about the project, causing vulnerabilities to persist longer and be patched more slowly. Threat actors can use the flaws to steal data, redirect visitors to other malicious sites, display unwanted ads, and more.