WordPress has released a new version – 6.4.2, that fixes a remote code execution vulnerability. Used in pair with another flaw, hackers could run arbitrary PHP code on a WordPress website, and as almost half of the internet is thought to run on WordPress, the attack surface is quite wide.

As per the website builder security team, version 6.4 was vulnerable to a Property Oriented Programming (POP) chain flaw that could be used for arbitrary PHP code execution, albeit under specific circumstances. Those circumstances require the target website to carry a PHP object injection flaw, which could be introduced with a vulnerable plug-in, or an add-on. Together, the flaws become critical in severity.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *