WordPress fixes POP chain exposing websites to RCE attacks

Trending 2 months ago

WordPress fixes POP alternation advertisement websites to RCE attacks

WordPress has appear adaptation 6.4.2 that addresses a alien cipher beheading (RCE) vulnerability that could be chained with addition blemish to acquiesce attackers run approximate PHP cipher on the ambition website.

WordPress is a awful accepted open-source agreeable administration arrangement (CMS) acclimated for creating and managing websites. It is currently acclimated by added than 800 actor sites, accounting for about 45% of all sites on the internet.

The project’s aegis aggregation apparent a Property Oriented Programming (POP) alternation vulnerability that was alien in WordPress amount 6.4, which beneath assertive altitude could acquiesce approximate PHP cipher execution.

A POP alternation requires an antagonist to control all the backdrop of a deserialized object, which is accessible with PHP's unserialize() function. A aftereffect of this is the achievability to annex the application's breeze by authoritative the ethics beatific to megic methods such as '_wakeup()'.

The aegis affair requires the actuality of a PHP article bang blemish on the ambition site, which could be present on a plugin or affair add-on, to accomplish a analytical severity.

“A Remote Code Execution vulnerability that is not anon accommodating in core; however, the aegis aggregation feels that there is a abeyant for aerial severity back accumulated with some plugins, abnormally in multisite installations.” - WordPress

A PSA by WordPress aegis experts at Wordfence provides some added abstruse capacity on the problem, answer that the affair is in the ‘WP_HTML_Token’ class, alien in WordPress 6.4 to improve HTML parsing in the block editor.

The chic absolute a '__destruct' magic method, which acclimated 'call_user_func' to assassinate a action authentic in the 'on_destroy' property, with 'bookmark_name' as an argument.

An antagonist base an article bang vulnerability could accretion ascendancy over these backdrop to assassinate approximate code, the advisers say.

Class destructor that conditionally executes a callback functionClass destructor that conditionally executes a callback function (Patchstack)

Although the blemish isn’t analytical on its own, due to the charge for article bang on installed and breath plugins or themes, the attendance of an accommodating POP alternation in WordPress amount decidedly increases the all-embracing accident for WordPress sites.

Another notification from Patchstack security belvedere for WordPress and plugins highlights that an accomplishment alternation for this affair was uploaded several weeks ago on GitHub and after added to the PHPGGC library, which is acclimated in PHP appliance aegis testing.

Even if the vulnerability is potentially analytical and it is accommodating beneath assertive circumstances, advisers acclaim admins amend to the latest WordPress version. Even if best updates install the new adaptation automatically, advisers admonish blockage manually if the amend completed.