WordPress introduced a safety launch model 6.4.3 as a response to 2 vulnerabilities found in WordPress plus 21 bug fixes.
PHP File Add Bypass
The primary patch is for a PHP File Add Bypass Through Plugin Installer vulnerability. It’s a flaw in WordPress that enables an attacker to add PHP information by way of the plugin and theme uploader. PHP is a scripting language that’s used to generate HTML. PHP information can be used to inject malware into a web site.
Nonetheless, this vulnerability is just not as unhealthy because it sounds as a result of the attacker wants administrator degree permissions with a purpose to execute this assault.
PHP Object Injection Vulnerability
In line with WordPress the second patch is for a Distant Code Execution POP Chains vulnerability which may enable an attacker to remotely execute code.
An RCE POP Chains vulnerability sometimes signifies that there’s a flaw that enables an attacker, sometimes by means of manipulating enter that the WordPress website deserializes, to execute arbitrary code on the server.
Deserialization is the method the place knowledge is transformed right into a serialized format (like a textual content string) deserialization is the half when it’s transformed again into its authentic type.
Wordfence describes this vulnerability as a PHP Object Injection vulnerability and doesn’t point out the RCE POP Chains half.
That is how Wordfence describes the second WordPress vulnerability:
“The second patch addresses the best way that choices are saved – it first sanitizes them earlier than checking the info kind of the choice – arrays and objects are serialized, in addition to already serialized knowledge, which is serialized once more. Whereas this already occurs when choices are up to date, it was not carried out throughout website set up, initialization, or improve.”
That is additionally a low risk vulnerability in that an attacker would want administrator degree permissions to launch a profitable assault.
However, the official WordPress announcement of the security and maintenance release recommends updating the WordPress set up:
“As a result of it is a safety launch, it is suggested that you just replace your websites instantly. Backports are additionally obtainable for different main WordPress releases, 4.1 and later.”
Bug Fixes In WordPress Core
This launch additionally fixes 5 bugs within the WordPress core:
- Textual content isn’t highlighted when modifying a web page in newest Chrome Dev and Canary
- Replace default PHP model utilized in native Docker Setting for older branches
- wp-login.php: login messages/errors
- Deprecated print_emoji_styles produced throughout embed
- Attachment pages are solely disabled for customers which can be logged in
Along with the above 5 fixes to the Core there are an extra 16 bug fixes to the Block Editor.
Learn the official WordPress Security and Maintenance Release announcement
The Wordfence description of the vulnerabilities:
Featured Picture by Shutterstock/Roman Samborskyi