Critical WordPress Vulnerability Patched: Remote Code Execution Possible

A critical security vulnerability patched in the recent WordPress 6.4.2 update could have allowed attackers to take full control of vulnerable websites. While the vulnerability itself resided within WordPress core, its potential for harm relied on the presence of another common vulnerability: PHP object injection.

What makes this situation particularly concerning is the recent release of an “exploitation chain” making it easier for malicious actors to exploit any existing object injection vulnerability. This combination would have allowed attackers to execute arbitrary code on affected websites, potentially leading to data theft, website defacement, and even malware installation.

“A Remote Code Execution vulnerability that is not directly exploitable in core, however the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs,” the WordPress security team wrote.

The Vulnerability in Detail:

The vulnerability stemmed from a feature introduced in WordPress 6.4 aimed at improving HTML parsing in the block editor. This feature involved the WP_HTML_Token class, which contained a __destruct method automatically executed after PHP processed the request. This method accepted a function and an argument, both of which could be controlled by attackers through an existing object injection vulnerability.

public function __destruct() {
    if ( is_callable( $this->on_destroy ) ) {
        call_user_func( $this->on_destroy, $this->bookmark_name );
        }
}

By exploiting this vulnerability, attackers could gain the ability to execute arbitrary code on the website, essentially taking full control.

“Since an attacker able to exploit an Object Injection vulnerability would have full control over the on_destroy and bookmark_name properties, they can use this to execute arbitrary code on the site to easily gain full control.

While WordPress Core currently does not have any known object injection vulnerabilities, they are rampant in other plugins and themes. The presence of an easy-to-exploit POP chain in WordPress core substantially increases the danger level of any Object Injection vulnerability,” the Wordfence security team explains.

The Patch and Why it Matters:

The patch for this vulnerability is simple yet effective. It adds a new __wakeup method to the WP_HTML_Token class. This method ensures that any serialized object with this class throws an error, preventing the malicious __destruct function from being executed.

public function __wakeup() {
   throw new \LogicException( __CLASS__ . ' should never be unserialized' );
}

While WordPress core itself doesn’t currently have any known object injection vulnerabilities, many plugins, and themes do. The presence of the easily-exploited vulnerability in WordPress core significantly amplified the danger posed by these existing object injection vulnerabilities.

What You Should Do:

All WordPress users are urged to update to version 6.4.2 immediately, regardless of whether they are running version 6.4 or 6.4.1. This update is critical for protecting your website from this dangerous vulnerability.

Additionally, it’s crucial to keep all plugins and themes up-to-date and regularly scan your website for vulnerabilities. These additional precautions will further enhance your website’s security posture and minimize the risk of cyberattacks.