"WordPress 6.4.2 Patches Remote Code Execution Vulnerability"

WordPress recently released a security update for the popular content management system (CMS) to address a remote code execution (RCE) vulnerability.  Security researchers at Defiant noted that the flaw addressed in the open-source CMS is a property oriented programming (POP) chain issue introduced in WordPress core 6.4.  The researchers stated that it can be combined with a different object injection flaw, allowing attackers to execute PHP code on vulnerable websites.  The bug was identified in a class introduced in WordPress 6.4 to improve HTML parsing in the block editor.  To resolve the issue, WordPress added a new method that prevents the vulnerable function from executing, thus preventing exploitation.  The RCE bug was patched in WordPress 6.4.2.  Site owners and administrators are advised to update to the fixed CMS version immediately.

SecurityWeek reports: "WordPress 6.4.2 Patches Remote Code Execution Vulnerability"