WordPress has produced variation 6.4.2 with a patch for a critical security flaw that could be exploited by danger actors by combining it with yet another bug to execute arbitrary PHP code on susceptible websites.
“A distant code execution vulnerability that is not right exploitable in main having said that, the security workforce feels that there is a possible for high severity when combined with some plugins, in particular in multisite installations,” WordPress said.
According to WordPress security enterprise Wordfence, the issue is rooted in the WP_HTML_Token course that was released in model 6.4 to enhance HTML parsing in the block editor.
A threat actor with the means to exploit a PHP object injection vulnerability current in any other plugin or topic to chain the two issues to execute arbitrary code and seize manage of the targeted website.
“If a POP [property-oriented programming] chain is present through an further plugin or topic set up on the concentrate on method, it could allow for the attacker to delete arbitrary files, retrieve sensitive info, or execute code,” Wordfence famous earlier in September 2023.
In a related advisory unveiled by Patchstack, the organization said an exploitation chain has been manufactured offered on GitHub as of November 17 and additional to the PHP Generic Gadget Chains (PHPGGC) job. It’s encouraged that customers manually check out their web sites to be certain that it is really updated to the most current variation.
“If you are a developer and any of your initiatives incorporate operate calls to the unserialize function, we highly advise you swap this with a little something else, these types of as JSON encoding/decoding utilizing the json_encode and json_decode PHP capabilities,” Patchstack CTO Dave Jong mentioned.
Located this write-up fascinating? Observe us on Twitter and LinkedIn to read more special written content we write-up.
Some parts of this article are sourced from:
thehackernews.com