WordPress version 6.4.2 has been released, addressing a critical security flaw that could potentially allow threat actors to execute arbitrary PHP code on vulnerable sites [2] [3] [4]. This flaw, introduced in version 6.4 [2] [3] [4], poses a high severity risk when combined with certain plugins, particularly in multisite installations [1] [2] [3] [4].


The vulnerability lies within the WPHTMLToken class and is classified as an object injection vulnerability. While it cannot be directly exploited in the core, it can be leveraged in conjunction with specific plugins to create a significant security risk. To exploit this flaw [1], an attacker would need to have control over all properties of a deserialized object and exploit a PHP object injection vulnerability on the target site.

An exploitation chain has been made available on GitHub and has been added to the PHP Generic Gadget Chains project [2] [3] [4]. To mitigate the risk [5], it is strongly recommended that users manually check their sites and update to the latest version of WordPress [2]. Additionally, developers are advised to replace function calls to the unserialize function with alternatives such as JSON encoding/decoding using the jsonencode and jsondecode PHP functions [2] [3] [4].


In order to protect against potential attacks, it is crucial for users to remain vigilant and implement recommended mitigation measures [1]. Staying informed about the latest security updates and best practices is also essential. By taking these precautions, users can minimize the impact of this vulnerability and ensure the security of their WordPress sites in the future.


[1] https://gridinsoft.com/blogs/wordpress-vulnerability-fixed-patch-642/
[2] https://thehackernews.com/2023/12/wordpress-releases-update-642-to.html
[3] https://flyytech.com/2023/12/10/wordpress-releases-update-6-4-2-to-address-critical-remote-attack-vulnerability/
[4] https://www.443news.com/2023/12/wordpress-releases-update-6-4-2-to-address-critical-remote-attack-vulnerability/
[5] https://www.redmention.com/news/wordpress-releases-model-6-4-2-for-essential-vulnerability/