Heads up, WordPress admins! Ensure updating your websites at the earliest as a severe remote code execution (RCE) vulnerability threatens WordPress sites, triggering full website takeover. WordPress patched the flaw with the latest version 6.4.2.
A POP Chain Vulnerability In WordPress Could Allow RCE Attacks
WordPress recently released version 6.4.2 with a major security update. As explained in its advisory, this release addressed a critical code execution flaw allowing WordPress website takeover.
Specifically, WordPress Security Team discovered and patched seven different bugs affecting WordPress Core. One of these includes a security fix addressing a PHP code execution flaw. WordPress clarified that their team believes the flaw may pose a serious threat despite not being directly exploitable in core. Hence, they urge WordPress administrators to update their websites at the earliest to avoid potential threats.
While WordPress didn’t elaborate on the flaw, the security firm Wordfence shared a detailed analysis in their post.
As elaborated, the vulnerability was basically a Property Oriented Programming (POP) chain vulnerability. It affected the WP_HTML_Token class that was introduced in WordPress 6.4 for improved HTML parsing in block editor. The class includes a __destruct magic method, which allowed an adversary to exploit the flaw and take over the target website.
This
__destructmethod usescall_user_functo execute the function passed in through theon_destroyproperty, accepting thebookmark_nameproperty as an argument… Since an attacker able to exploit an Object Injection vulnerability would have full control over the on_destroy andbookmark_nameproperties, they can use this to execute arbitrary code on the site to easily gain full control.
This vulnerability affects WordPress 6.4 to 6.4.1. To patch this issue, WordPress introduced a __wakeup method with version 6.4.2, which prevents the execution of the __destruct function.
Wordfence explained that WordPress doesn’t exhibit any known object injection vulnerabilities. However, such flaws are common in WordPress themes and plugins. Thus, an attacker may chain those plugins’ vulnerabilities with this flaw to achieve code execution.
Now that the vulnerability details are known publicly, it’s crucial for all users to update their websites immediately to remain safe from possible attacks.
Let us know your thoughts in the comments.
