Update WordPress now to fix this significant security flaw

A flaw in WordPress core can easily turn critical, if admins are not careful

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

WordPress has released a new version - 6.4.2, that fixes a remote code execution vulnerability. Used in pair with another flaw, hackers could run arbitrary PHP code on a WordPress website, and as almost half of the internet is thought to run on WordPress, the attack surface is quite wide.

As per thewebsite buildersecurity team, version 6.4 was vulnerable to a Property Oriented Programming (POP) chain flaw that could be used for arbitrary PHP code execution, albeit under specific circumstances. Those circumstances require the target website to carry a PHP object injection flaw, which could be introduced with a vulnerable plug-in, or an add-on. Together, the flaws become critical in severity.

“A Remote Code Execution vulnerability that is not directly exploitable in core; however, the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installations,” WordPress said.

Exploit available

It’s not every day that we get a vulnerability in the WordPress core, but today is one of those days - those interested in the technicalities of the flaw should refer to Wordfence’s technical analysishere.

BleepingComputerfurther reported of a Patchstack notification that an exploit chain was already uploaded to GitHub weeks ago, and even added to the PHPGGC library later on.

WordPress is by far the most popular website builder out there, powering 800 million sites. Its popularity also means it’s constantly under hackers’ magnifying glass, however, vulnerabilities are rarely found in WordPress itself. Instead, hackers are finding it easier to find holes in plugins, add-ons, and themes, particularly free-to-use ones.

These are often built by enthusiasts or people who later abandon or forget about the project, resulting in vulnerabilities being present for longer, and patched more slowly. Threat actors can use the flaws to steal data, redirect visitors to other malicious sites, serve unwanted ads, and more.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

How to turn off Meta AI