Website administrators using the WordPress platform are recommended to update to version 6.4.2 to avoid becoming victims of attacks.
According to The Hacker News, WordPress has released version 6.4.2, which patched a serious security vulnerability that could be exploited by hackers by combining it with another bug to execute arbitrary PHP code on pages. The website still has this error.
The company said the remote code execution vulnerability cannot be exploited directly in the core, however, the security team feels it has the potential to cause high severity when combined with certain plugins, especially in older versions. Install on multiple sites.
According to security company Wordfence, the issue stems from a layer introduced in version 6.4 to improve HTML parsing in the block editor screen. Through this, hackers can exploit vulnerabilities to insert PHP objects in plugins or themes to combine to execute arbitrary code and gain control of the target website. As a result, an attacker can delete arbitrary files, retrieve sensitive data, or execute code.
In a similar advisory, Patchstack said an exploit chain was found on GitHub as of November 17 and added to the PHP General Utility Chains (PHPGGC) project. Users should manually check their website to ensure it has been updated to the latest version.