WordPress has released version 6.4.2, which contains a patch for a critical security vulnerability that could be exploited by threat actors to combine it with another vulnerability to execute arbitrary PHP code on vulnerable websites.
An announcement on the WordPress official website states: “This is a bug that cannot be exploited directly in the core.Remote code execution vulnerability; However, the security team believes that when combined with certain plugins, especially in multi-site installations, it can lead to serious security vulnerabilities. "
According to WordPress security company Wordfence, the issue is rooted inwordpressWP_HTML_Token class introduced in version 6.4, this class is designed to improve HTML parsing in the block editor.
A threat actor is able to exploit a PHP object injection vulnerability present in any other plugin or theme to chain two issues to execute arbitrary code and seize control of the target site.
Wordfence previously stated in September 2023: “If there is a POP [Property-Oriented Programming] via an additional plugin or theme installed on the target system1] chain, an attacker might be able to delete arbitrary files, retrieve sensitive data, or execute code. ".
In a similar announcement from Patchstack, the company said that the exploit chain has been available on GitHub since November 172, and added to the PHP Generic Gadget Chains (PHPGGC) project. Users are advised to manually check their website to ensure it is updated to the latest version.
"If you are a developer and any of your projects contain function calls to the deserialization function, we strongly recommend that you replace it with something else, such as JSON encoding/decoding using the json_encode and json_decode PHP functions," Patchstack Chief Technology Officer Dave Jong said.
Citing references:
- https://dl.acm.org/doi/10.1145/2660267.2660363 ↩︎
- https://github.com/ambionics/phpggc/tree/master/gadgetchains/WordPress/RCE ↩︎
Original article by Chief Security Officer, if reproduced, please credit https://cncso.com/en/wordpress-high-risk-remote-code-execution-vulnerability-html