According to The Hacker News, WordPress has released version 6.4.2, which patches a critical security vulnerability that could be exploited by hackers in combination with another flaw to execute arbitrary PHP code on websites still vulnerable to this flaw.
The company stated that the remote code execution vulnerability cannot be exploited directly in the core; however, the security team felt it had the potential to cause a high degree of severity when combined with certain plugins, particularly in multi-site installations.
According to security firm Wordfence, the issue stems from a class introduced in version 6.4 to improve HTML parsing in the block editor. Through this, hackers can exploit the vulnerability to inject PHP objects contained within plugins or themes, combining them to execute arbitrary code and gain control of the target website. As a result, attackers can delete arbitrary files, access sensitive data, or execute code.
As a popular content management platform, WordPress is also a target for hackers.
In a similar warning, Patchstack stated that an exploit chain was found on GitHub as of November 17th and added to the PHP Generic Utility Chains (PHPGGC) project. Users should manually check their websites to ensure they are updated to the latest version.
WordPress is a free, easy-to-use, and globally popular content management system. Thanks to its easy installation and extensive support, users can quickly create various types of websites, from online stores and portals to discussion forums.
According to data from W3Techs, WordPress accounted for 45.8% of all websites on the internet in 2023, up from 43.2% in 2022. This means that more than 2 out of every 5 websites use the WordPress platform.
Source link
Comment (0)