WordPress has just released version 6.4.2 to address a serious security problem that could let bad actors take advantage of vulnerable websites. The issue could allow them to execute harmful PHP code when combined with another bug.
Even though the flaw is not directly exploitable in the core of WordPress, the security team is concerned about its potential severity when used with certain plugins, especially in multisite installations.
The problem lies in a new feature called the WP_HTML_Token class, which was introduced in version 6.4 to improve how the block editor handles HTML. According to Wordfence, a WordPress security company, a threat actor could use a PHP object injection vulnerability in any other plugin or theme to exploit this issue and execute harmful code, gaining control of the targeted site.
Wordfence warns that if a chain of events (referred to as a POP chain) is present through an additional plugin or theme on the targeted system, it could allow the attacker to do harmful actions like deleting files, accessing sensitive information, or running code on the website.
Patchstack, another company in the WordPress security space, has also issued a warning. They mention that an exploitation chain related to this issue is available on GitHub since November 17 and has been added to the PHP Generic Gadget Chains (PHPGGC) project. Users are advised to check and update their websites manually to make sure they are running the latest version.
For developers, Patchstack’s CTO, Dave Jong, recommends replacing the “unserialize” function with something else, like using JSON encoding/decoding with the “json_encode” and “json_decode” PHP functions, especially if your projects involve calls to the unserialize function. This precaution can help enhance the security of your WordPress projects.