You might have already noticed that there’s a new version of WordPress out in the world, labeled as 6.4.2. This is another relatively quick update following the recent releases of versions 6.4 and shortly after, 6.4.1. WordPress 6.4.2 fixes a critical bug discovered by developers in the so-called ‘pop’ strings. This bug is critical primarily because it allows an attacker to remotely execute arbitrary code directly on the website without the website owner having any inkling about it.
Where does the issue lie?
The problem resides in the WP_HTML_Token class introduced in WordPress 6.4, which is used to enhance the analysis of HTML code in the block editor (Gutenberg). It includes a method, __destruct, which automatically triggers after PHP processes a request. This __destruct method further utilizes call_user_func to execute a function passed via the on_destroy property, taking the bookmark_name property as an argument.
If an attacker were to exploit this bug, they would gain full control over both the __destruct method and bookmark_name. This could be further exploited to execute any code on the website.
Problematic code segment:
public function __destruct() {
if ( is_callable( $this->on_destroy ) ) {
call_user_func( $this->on_destroy, $this->bookmark_name );
}
}
Fixed code
public function __wakeup() {
throw new \LogicException( __CLASS__ . ' should never be unserialized' );
}
The newly added method, __wakeup, ensures that any serialized object with the class WP_HTML_Token will trigger an error if it’s not serialized, thus preventing the execution of the __destruct function.
Other fixed issues:
In total, the new version of WordPress fixes 7 bugs. You can find a detailed description of them here: Make WordPress Core
- Change CSS align-item from start / end to flex-start / flex-end for full browser support (more informations here)
- Irrelevant comment for translators (more informations here)
- Since WordPress 6.4, the functions.php of a theme moved to a different location using register_theme_directory is no longer called (more informations here)
- Incorrect reference in docblock for _register_theme_block_patterns (more informations here)
- Expose serialized template content to callbacks registered to the `hooked_block_types` filter. (more informations here)
- Incorrect example for WP_HTML_Tag_Processor class (more informations here)
- Site editor: logo (more informations here)
WordPress 6.4.2 fixes a critical bug.
Conclusion:
Given that the new update addresses a serious, critical bug that potentially jeopardizes the website’s security, it’s advisable not to postpone updating your content management system. The update itself takes approximately a minute if you don’t back up the website. If you want to ensure a smooth process, follow these steps:
- Back up data via FTP.
- Create a MySQL backup.
- Optionally, utilize tools like Updraft to back up the entire website to a remote cloud storage.
- Update the WordPress version.
- Clear temporary cache plugin files.
- Test the website.
The mentioned procedure is the only secure way. If the update causes significant issues on the website, you can immediately revert to the original state using the backup. Any update on a website using plugins built for different versions of WordPress may lead to website crashes. Update safely and cautiously.
The website is created with care for the included information. I strive to provide high-quality and useful content that helps or inspires others. If you are satisfied with my work and would like to support me, you can do so through simple options.
Subscribe to the Newsletter
Stay informed! Join our newsletter subscription and be the first to receive the latest information directly to your email inbox. Follow updates, exclusive events, and inspiring content, all delivered straight to your email.
