The WordPress 6.4.3 Security Update – What You Need to Know

Today, January 30, 2024, WordPress released version 6.4.3, which contains two security patches for longstanding, albeit minor, security concerns in WordPress Core.

The first patch addresses an issue that allows users with Administrator (or Super Administrator on Multisite) privileges to upload PHP files directly to a site via the Plugin and Theme file upload mechanism. This is only a concern in heavily locked-down configurations that disallow Administrators and Super Administrators from installing plugins and themes via a separate mechanism. Wordfence has tracked this as a low-priority informational security alert since August 2023, though it has been public since August 2018.

The second patch addresses the way that options are stored – it first sanitizes them before checking the data type of the option – arrays and objects are serialized, as well as already serialized data, which is serialized again. While this already happens when options are updated, it was not performed during site installation, initialization, or upgrade. According to the 6.4.3 release post, this is intended to address a potential PHP Object Injection issue.

Both issues appear to require a highly privileged user or an attacker stumbling upon a site with an incomplete installation to exploit, and are likely to impact few WordPress sites in the real world.

Both patches have been backported to version 4.1 and later of WordPress.

Conclusion

The WordPress 6.4.3 security patches addressed two minor issues in WordPress core and can primarily be considered increased hardening, as the circumstances in which they are likely to have a security impact are incredibly rare. Nonetheless, we recommend updating in a reasonable time frame, especially if your site relies on a hardened configuration due to regulatory requirements.

The post The WordPress 6.4.3 Security Update – What You Need to Know appeared first on Wordfence.

More great articles

A (Beta) Audio Roundup of September’s WordPress Vulnerabilities

For those of you that want to stay abreast of the newest vulnerabilities in the WP ecosystem, but like to…

Read Story

WordPress Vulnerability & Patch Roundup November 2023

Vulnerability reports and responsible disclosures are essential for website security awareness and education. Automated attacks targeting known software vulnerabilities are…

Read Story

Recently Patched Vulnerabilities in Ninja Forms Plugin Affect Over 1 Million Site Owners

On August 3, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities that were discovered…

Read Story

Emergency WordPress Help

One of our techs will get back to you within minutes.