WordPress Releases Version 6.4.2 For Critical Vulnerability via @sejournal, @martinibuster
WordPress releases a security update version 6.4.2 to address a critical severity vulnerability The post WordPress Releases Version 6.4.2 For Critical Vulnerability appeared first on Search Engine Journal.
WordPress security release addresses a critical severity vulnerability and urges users to update immediately
WordPress has released version 6.4.2 that contains a patch for a critical severity vulnerability that could allow attackers to execute PHP code on the site and potentially lead to a full site takeover.
The vulnerability was traced back to a feature introduced in WordPress 6.4 that was meant to improve HTML parsing in the block editor.
The issue is not present in earlier versions of WordPress and it only affects versions 6.4 and 6.4.1.
An official WordPress announcement describes the vulnerability:
“A Remote Code Execution vulnerability that is not directly exploitable in core, however the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs.”
According to an advisory published by Wordfence:
“Since an attacker able to exploit an Object Injection vulnerability would have full control over the on_destroy and bookmark_name properties, they can use this to execute arbitrary code on the site to easily gain full control.
While WordPress Core currently does not have any known object injection vulnerabilities, they are rampant in other plugins and themes. The presence of an easy-to-exploit POP chain in WordPress core substantially increases the danger level of any Object Injection vulnerability.”
Object Injection Vulnerability
Wordfence advises that Object Injection vulnerabilities are not easy to exploit. Nonetheless they are recommending that users of WordPress update the latest versions.
WordPress itself advises that users update their sites immediately.
Read the official WordPress announcement:
WordPress 6.4.2 Maintenance & Security Release
Read the Wordfence advisory:
PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2
Featured Image by Shutterstock/Nikulina Tatiana
SEJ STAFF Roger Montti Owner - Martinibuster.com at Martinibuster.com
Roger Montti is a search marketer with over 20 years experience. I offer site audits and phone consultations. See me ...
Subscribe To Our Newsletter.
Conquer your day with daily search marketing news.