WordPress 6.4.3 – what does the new update fix?

WordPress 6.4.3 addresses several security issues and 21 additional bugs. For more detailed information, you can refer to the official page about this version: WordPress 6.4.3 documentation .

A detailed description of the core WordPress fixes is provided here: Make WordPress Core

On the other hand, the errors fixed in the block editor are described here on GitHub: WordPress 6.4.3 GitHub

Fixes in the WordPress Core

• Text is not highlighted when editing a page in the latest Chrome Dev and Canary.
• Update default PHP version used in local Docker environment for older versions.
• wp-login.php: Login messages/errors.
• Outdated code print_emoji_styles generated during insertion.
• Attachment pages are restricted only for logged-in users.

PHP File Upload Bypass Fix

The first patch addresses a security vulnerability in the area of uploading PHP files through a vulnerability in the plugin installer. It is a WordPress flaw that allows an attacker to upload PHP files through the plugin or theme upload function. However, this vulnerability was not as severe as it might seem, as the attacker would need administrator-level permissions to execute such an attack.

PHP Object Injection

According to WordPress, the second patch is intended for a Remote Code Execution (RCE) POP Chains vulnerability that could allow an attacker to remotely execute code. RCE POP Chains vulnerability typically means there is a flaw that allows an attacker, through manipulation of input that the WordPress page deserializes, to execute arbitrary code directly on the server. Deserialization is the process where data is converted into a serialized format (like a text string). It is then converted back to its original form. This vulnerability also has a low risk because the attacker would need administrator-level permissions for a successful attack.