WordPress POP CMS Vulnerability

WordPress POP CMS Vulnerability


WordPress has released a security update for the popular CMS to address a remote code execution vulnerability.

The vulnerability is a property oriented programming (POP) chain issue introduced in WordPress core 6.4 that can be combined with a different object injection flaw, allowing attackers to execute PHP code on vulnerable websites.

Advertisements

The bug persists in a class that was introduced in WordPress 6.4 to improve HTML parsing in the block editor. The vulnerable class includes a function that is executed automatically after PHP has processed a request and which uses properties that an attacker may have full control of.

WordPress notes that the RCE flaw is not exploitable directly in core but that, when combined with some plugins, it may pose a high risk.

To resolve the issue, WordPress added a new method that prevents the vulnerable function from executing, thus preventing exploitation. The vulnerability was patched in WordPress 6.4.2. Site owners and administrators are advised to update the fixed CMS version as soon as possible.

Advertisements

Wordfence noted that there are no indicators that the vulnerability is being exploited in malicious attacks. While most sites should automatically update to WordPress 6.4.2, we strongly recommend manually checking your site to ensure that it is updated.

1 Comment

  1. NICE POST 💖💓❤️

    Blessed and Happy day 🌄

    Greetings 👋🫂🇪🇸

    ❤️I GROW TOGETHER pk 🌎

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.