WordPress has released a new version – 6.4.2, that fixes a remote code execution vulnerability. Used in pair with another flaw, hackers could run arbitrary PHP code on a WordPress website, and as almost half of the internet is thought to run on WordPress, the attack surface is quite wide.
As per the website builder security team, version 6.4 was vulnerable to a Property Oriented Programming (POP) chain flaw that could be used for arbitrary PHP code execution, albeit under specific circumstances. Those circumstances require the target website to carry a PHP object injection flaw, which could be introduced with a vulnerable plug-in, or an add-on. Together, the flaws become critical in severity.
“A Remote Code Execution vulnerability that is not directly exploitable in core; however, the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installations,” WordPress said.
It’s not every day that we get a vulnerability in the WordPress core, but today is one of those days – those interested in the technicalities of the flaw should refer to Wordfence’s technical analysis here.
BleepingComputer further reported of a Patchstack notification that an exploit chain was already uploaded to GitHub weeks ago, and even added to the PHPGGC library later on.
WordPress is by far the most popular website builder out there, powering 800 million sites. Its popularity also means it’s constantly under hackers’ magnifying glass, however, vulnerabilities are rarely found in WordPress itself. Instead, hackers are finding it easier to find holes in plugins, add-ons, and themes, particularly free-to-use ones.
These are often built by enthusiasts or people who later abandon or forget about the project, resulting in vulnerabilities being present for longer, and patched more slowly. Threat actors can use the flaws to steal data, redirect visitors to other malicious sites, serve unwanted ads, and more.