WordPress 6.4.2 Update Addresses Critical Remote Code Execution Vulnerability
WordPress, powering over half the internet, faces a security challenge with its 6.4.2 update. Addressing a vulnerability tied to remote code execution, this poses a significant risk given WordPress’s widespread usage. The reported Property Oriented Programming (POP) chain vulnerability in version 6.4 requires a PHP object injection vulnerability in the target website, often arising from add-ons or susceptible plugins.
While WordPress acknowledges a Remote Code Execution vulnerability in the core, it becomes critical when paired with certain plugins, particularly in multisite installations. The potential severity prompted a recent security update, though the core vulnerability isn’t immediately exploitable.
A Patchstack warning reveals an exploit chain in the PHPGGC library, uploaded to GitHub weeks prior. With 800 million sites using WordPress, its popularity makes it a target. Notably, vulnerabilities often stem from plugins, add-ons, and free themes, where developers may abandon projects, leaving vulnerabilities unaddressed. As cyber threats loom, vigilance in updating and securing plugins becomes crucial for the millions relying on WordPress for website building.