WordPress announced a security release version 6.4.3 as a response to two vulnerabilities discovered in WordPress plus 21 bug fixes.
The first patch is for a PHP File Upload Bypass Via Plugin Installer vulnerability. It’s a flaw in WordPress that allows an attacker to upload PHP files via the plugin and theme uploader. PHP is a scripting language that is used to generate HTML. PHP files can also be used to inject malware into a website.
However, this vulnerability is not as bad as it sounds because the attacker needs administrator level permissions in order to execute this attack.
According to WordPress the second patch is for a Remote Code Execution POP Chains vulnerability which could allow an attacker to remotely execute code.
An RCE POP Chains vulnerability typically means that there’s a flaw that allows an attacker, typically through manipulating input that the WordPress site deserializes, to execute arbitrary code on the server.
Deserialization is the process where data is converted into a serialized format (like a text string) deserialization is the part when it’s converted back into its original form.
Wordfence describes this vulnerability as a PHP Object Injection vulnerability and doesn’t mention the RCE POP Chains part.
This is how Wordfence describes the second WordPress vulnerability:
“The second patch addresses the way that options are stored – it first sanitizes them before checking the data type of the option – arrays and objects are serialized, as well as already serialized data, which is serialized again. While this already happens when options are updated, it was not performed during site installation, initialization, or upgrade.”
This is also a low threat vulnerability in that an attacker would need administrator level permissions to launch a successful attack.
Nevertheless, the official WordPress announcement of the security and maintenance release recommends updating the WordPress installation:
“Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later.”
This release also fixes five bugs in the WordPress core:
In addition to the above five fixes to the Core there are an additional 16 bug fixes to the Block Editor.
Read the official WordPress Security and Maintenance Release announcement
WordPress descriptions of each of the 21 bug fixes
The Wordfence description of the vulnerabilities:
The WordPress 6.4.3 Security Update – What You Need to Know
Featured Image by Shutterstock/Roman Samborskyi
Google revealed details of two new crawlers that are optimized for scraping image and video…
Here is a recap of what happened in the search forums today, through the eyes…
YouTube unveiled four new content and ad offerings at its 13th annual Brandcast at David…
What Is Direct Traffic in Google Analytics? Direct traffic in Google Analytics 4 (GA4) refers to…
Google looks like it will discontinue the direct ordering option with the Order with Google…
Google Ads continues to roll out AI features within the advertiser console. Now some advertisers…
This website uses cookies.
Leave a Comment