WordPress has rolled out an update, version 6.4.2, to address a critical remote code execution (RCE) vulnerability. This flaw, part of a Property Oriented Programming (POP) chain, could potentially allow attackers to execute arbitrary PHP code on websites using the platform.
The vulnerability was discovered in the WordPress core version 6.4 and involves the manipulation of object properties through PHP’s unserialize() function. This could lead to the hijacking of the application’s flow, particularly through magic methods like ‘_wakeup()’.
The risk is heightened when this vulnerability is combined with a PHP object injection flaw, which could be present in a plugin or theme add-on. The WordPress security team has emphasized the potential for high severity in such cases, especially for multisite installations.
Technical insights from Wordfence, a WordPress security firm, revealed that the vulnerability resides in the ‘WP_HTML_Token’ class. This class, which aids in HTML parsing for the block editor, contains a ‘__destruct’ magic method that executes functions based on the ‘on_destroy’ property.
An attacker could exploit this by controlling the ‘on_destroy’ property to execute arbitrary code. While the flaw is not deemed critical in isolation, its combination with other vulnerabilities in plugins or themes elevates the threat level for WordPress sites.
Patchstack, a security platform for WordPress and plugins, reported that an exploit chain for this issue was uploaded to GitHub and subsequently added to the PHPGGC library, commonly used in PHP application security testing.
Despite the potential severity of the vulnerability, WordPress advises site administrators to update to the latest version to mitigate the risk. While most updates occur automatically, it is recommended to verify that the update has been successfully applied. This proactive measure is crucial for maintaining the security and integrity of the over 800 million sites powered by WordPress.
