WordPress introduced a safety launch model 6.4.3 as a response to 2 vulnerabilities found in WordPress plus 21 bug fixes.
PHP File Add Bypass
The primary patch is for a PHP File Add Bypass Through Plugin Installer vulnerability. It’s a flaw in WordPress that permits an attacker to add PHP recordsdata by way of the plugin and theme uploader. PHP is a scripting language that’s used to generate HTML. PHP recordsdata can be used to inject malware into an internet site.
Nevertheless, this vulnerability is just not as unhealthy because it sounds as a result of the attacker wants administrator stage permissions as a way to execute this assault.
PHP Object Injection Vulnerability
In accordance with WordPress the second patch is for a Distant Code Execution POP Chains vulnerability which might enable an attacker to remotely execute code.
An RCE POP Chains vulnerability usually signifies that there’s a flaw that permits an attacker, usually via manipulating enter that the WordPress website deserializes, to execute arbitrary code on the server.
Deserialization is the method the place information is transformed right into a serialized format (like a textual content string) deserialization is the half when it’s transformed again into its authentic kind.
Wordfence describes this vulnerability as a PHP Object Injection vulnerability and doesn’t point out the RCE POP Chains half.
That is how Wordfence describes the second WordPress vulnerability:
“The second patch addresses the way in which that choices are saved – it first sanitizes them earlier than checking the info sort of the choice – arrays and objects are serialized, in addition to already serialized information, which is serialized once more. Whereas this already occurs when choices are up to date, it was not carried out throughout website set up, initialization, or improve.”
That is additionally a low risk vulnerability in that an attacker would want administrator stage permissions to launch a profitable assault.
Nonetheless, the official WordPress announcement of the safety and upkeep launch recommends updating the WordPress set up:
“As a result of it is a safety launch, it is suggested that you simply replace your websites instantly. Backports are additionally obtainable for different main WordPress releases, 4.1 and later.”
Bug Fixes In WordPress Core
This launch additionally fixes 5 bugs within the WordPress core:
- Textual content isn’t highlighted when modifying a web page in newest Chrome Dev and Canary
- Replace default PHP model utilized in native Docker Atmosphere for older branches
- wp-login.php: login messages/errors
- Deprecated print_emoji_styles produced throughout embed
- Attachment pages are solely disabled for customers which are logged in
Along with the above 5 fixes to the Core there are an extra 16 bug fixes to the Block Editor.
Learn the official WordPress Safety and Upkeep Launch announcement
WordPress descriptions of every of the 21 bug fixes
The Wordfence description of the vulnerabilities:
The WordPress 6.4.3 Safety Replace – What You Must Know
Featured Picture by Shutterstock/Roman Samborskyi