The latest security update from WordPress tackles a critical remote code execution (RCE) vulnerability that stems from a property oriented programming (POP) chain issue. This flaw, introduced in WordPress core 6.4, could potentially enable attackers to execute PHP code on vulnerable websites. Although the vulnerability isn’t directly exploitable within core, when combined with certain plugins, it becomes a significant risk. WordPress 6.4.2 patches this RCE bug by introducing a preventive method to stop the vulnerable function from running. Site owners and administrators are strongly urged to update their CMS to the fixed version to safeguard against potential exploitation, despite no current signs of active exploitation.
Read more: https://www.securityweek.com/wordpress-6-4-2-patches-remote-code-execution-vulnerability/