New WordPress 6.4.2 Fixes A Critical Bug. Do You Know Them?

You might have already noticed that there’s a new version of WordPress out in the world, labeled as 6.4.2. This is another relatively quick update following the recent releases of versions 6.4 and shortly after, 6.4.1. WordPress 6.4.2 fixes a critical bug discovered by developers in the so-called ‘pop’ strings. This bug is critical primarily because it allows an attacker to remotely execute arbitrary code directly on the website without the website owner having any inkling about it.

Where does the issue lie?

New WordPress 6.4.2 Fixes A Critical Bug. Do You Know Them?

The problem resides in the WP_HTML_Token class introduced in WordPress 6.4, which is used to enhance the analysis of HTML code in the block editor (Gutenberg). It includes a method, __destruct, which automatically triggers after PHP processes a request. This __destruct method further utilizes call_user_func to execute a function passed via the on_destroy property, taking the bookmark_name property as an argument.

If an attacker were to exploit this bug, they would gain full control over both the __destruct method and bookmark_name. This could be further exploited to execute any code on the website.

Problematic code segment:

					public function __destruct() {
    if ( is_callable( $this->on_destroy ) ) {
        call_user_func( $this->on_destroy, $this->bookmark_name );


Fixed code

					public function __wakeup() {
   throw new \LogicException( __CLASS__ . ' should never be unserialized' );


The newly added method, __wakeup, ensures that any serialized object with the class WP_HTML_Token will trigger an error if it’s not serialized, thus preventing the execution of the __destruct function.

Other fixed issues:

In total, the new version of WordPress fixes 7 bugs. You can find a detailed description of them here: Make WordPress Core

WordPress 6.4.2 fixes a critical bug.


Given that the new update addresses a serious, critical bug that potentially jeopardizes the website’s security, it’s advisable not to postpone updating your content management system. The update itself takes approximately a minute if you don’t back up the website. If you want to ensure a smooth process, follow these steps:

  • Back up data via FTP.
  • Create a MySQL backup.
  • Optionally, utilize tools like Updraft to back up the entire website to a remote cloud storage.
  • Update the WordPress version.
  • Clear temporary cache plugin files.
  • Test the website.

The mentioned procedure is the only secure way. If the update causes significant issues on the website, you can immediately revert to the original state using the backup. Any update on a website using plugins built for different versions of WordPress may lead to website crashes. Update safely and cautiously.

The website is created with care for the included information. I strive to provide high-quality and useful content that helps or inspires others. If you are satisfied with my work and would like to support me, you can do so through simple options.

Byl pro Vás tento článek užitečný?

Klikni na počet hvězd pro hlasování.

Průměrné hodnocení. 0 / 5. Počet hlasování: 0

Zatím nehodnoceno! Buďte první

Jak užitečný vidíte tento článek.

Sledujte mě na sociálních médiích.

Je mi líto, že pro Vás nebyl článek užitečný.

Jak mohu vylepšit článek?

Řekněte mi, jak jej mohu zlepšit.


Subscribe to the Newsletter

Stay informed! Join our newsletter subscription and be the first to receive the latest information directly to your email inbox. Follow updates, exclusive events, and inspiring content, all delivered straight to your email.

Upozornit na
0 Komentáře/ů
Vložené zpětné vazby.
Zobrazit všechny komentáře.

Pokud mi chcete napsat rychlou zprávu, využije, prosím, níže uvedený
kontaktní formulář. Děkuji.

Další Kontaktní údaje