According to The Hacker News, WordPress has released version 6.4.2, which patches a serious security vulnerability that could be exploited by hackers in combination with another bug to execute arbitrary PHP code on websites that still have the vulnerability.

The remote code execution vulnerability is not exploitable directly in the core, but the security team feels it has the potential to cause a high severity vulnerability when combined with certain plugins, especially in multisite installations, the company said.

According to security firm Wordfence, the issue stems from a class introduced in version 6.4 to improve HTML parsing in the block editor. Through this, an attacker could exploit the vulnerability to inject PHP objects contained in plugins or themes that could be combined to execute arbitrary code and gain control of the targeted website. As a result, the attacker could delete arbitrary files, retrieve sensitive data, or execute code.

In a similar advisory, Patchstack said an exploit chain was found on GitHub as of November 17 and added to the PHP Common Utility Chains (PHPGGC) project. Users should manually check their websites to ensure they have updated to the latest version.

WordPress is a free, easy-to-use, and globally popular content management system. With easy installation and extensive support, users can quickly create all kinds of websites from online stores, portals, discussion forums...

According to data from W3Techs, WordPress will power 45.8% of all websites on the internet in 2023, up from 43.2% in 2022. That means more than 2 out of every 5 websites will be powered by WordPress.