The 6.4.2 update is the latest version of WordPress that addresses a vulnerability related to remote code execution. Since WordPress is said to be used by over half of the internet, hackers might use this vulnerability in conjunction with another one to execute arbitrary PHP code on a WordPress website, providing a large attack surface.
The website builder security team recently reported that, under some conditions, version 6.4 was susceptible to a Property Oriented Programming (POP) chain vulnerability that could be leveraged to execute PHP code arbitrarily.
Under those conditions, the target website must have a PHP object injection vulnerability, which could be brought about via an add-on or a susceptible plug-in. When combined, the shortcomings increase in seriousness.
WordPress stated that there is a Remote Code Execution vulnerability that is not immediately exploitable in the core but that may potentially be quite serious when paired with certain plugins, especially in multisite installations.
Utilising Available Options
BleepingComputer also revealed that a Patchstack warning had revealed that an exploit chain had been introduced to the PHPGGC library and uploaded to GitHub several weeks prior.
With 800 million sites, WordPress is by far the most widely used website builder available. Due to its widespread use, the portal has frequently been targeted by cyber hackers, yet vulnerabilities are uncommon in the platform itself. Rather, vulnerabilities in plugins, add-ons, and themes—especially those that are free to use—are becoming easier for hackers to discover.
“These are sometimes created by hobbyists or individuals who subsequently give up on the project or forget about it, which causes vulnerabilities to remain unfixed for longer periods of time before being fixed. Threat actors may leverage these vulnerabilities to provide unsolicited advertisements, reroute users to other malicious websites, steal data, and more,” stated Techradar, while reporting on the issue.