Home » Blog » WordPress 6.4.2 Addresses Remote Code Execution & Other Issues 


WordPress 6.4.2 Addresses Remote Code Execution & Other Issues

WordPress 6.4.2 Addresses Remote Code Execution & Other Issues 

Soumi Biswas January 10, 2024 3 MIN READ


WordPress 6.4.2 Addresses Remote Code Execution & Other Issues

2023 was a landmark year for the WordPress community, marked by significant version updates, including WordPress 6.2, 6.3, and 6.4. It even saw numerous maintenance and security enhancements, such as the WordPress 6.4.1 maintenance release.  

However, the journey didn’t stop there. A month following the 6.4.1 release, the WordPress team introduced another security and maintenance update — WordPress 6.4.2. This update was rolled out on 6 December 2023 to enhance the CMS’s security and performance.  

WordPress 6.4.2 Update  

This latest WordPress update, 6.4.2, is crucial. It addresses a critical security flaw within the core that could lead to remote code execution and allow hackers to take control of the entire site, particularly when combined with vulnerable plugins.  

The latest version release is a testament to the WordPress community’s commitment to security and performance, aiming to provide a safer, more robust platform for web creators worldwide. 

The Need  

According to the WordPress team’s official statement, the 6.4.2 update is a short-cycle release. WordPress 6.4.2 addressed a critical issue found by developers in what’s known as ‘pop’ strings. This issue is particularly serious because it lets an attacker secretly run harmful code on the website without the site owner having any inkling about it. 

Apart from the 6.4.2 security update, this release also includes fixes for several bugs, thereby enhancing WordPress sites’ overall performance and stability. These improvements are going to contribute to a smoother user experience and less downtime, which is crucial for maintaining the credibility and efficiency of your digital presence. 

Let’s delve into the specifics of the issue, its implications, and the resolution provided by the WordPress team. 

Understanding the Critical Security Update in WordPress 6.4.2

WordPress 6.4.2 brings an important security update to the forefront, addressing a critical issue found in the WP_HTML_Token class. This class, introduced in WordPress 6.4, aimed to enhance HTML parsing within the Gutenberg block editor but inadvertently introduced a vulnerability.  

The Root of the Issue

The problem lies in the WP_HTML_Token class, specifically within a method named __destruct. This method is automatically triggered after PHP processes a request and utilizes call_user_func to execute a function passed via the on_destroy property, with bookmark_name as an argument. The code segment in question is: 

The Impact  

Hackers, by exploiting a PHP object injection vulnerability along with any other plugin or theme, could chain the issues to execute arbitrary code and potentially take control of the targeted site.  

This vulnerability is particularly dangerous because it allows attackers to delete files, retrieve sensitive data, or execute code without the website owner’s knowledge. The exploitation hinges on gaining control over the __destruct method and bookmark_name, leading to unauthorized code execution. 

The Solution

The WordPress team introduced a new method called __wakeup to mitigate this vulnerability. If any serialized object with the WP_HTML_Token class is not serialized properly, this method throws an error to prevent unintended execution of the __destruct function. 

The fixed code is: 

The fixed code

With the addition of the __wakeup method, any serialized object of the WP_HTML_Token class that is not serialized correctly will cause an error, effectively blocking the __destruct function from executing.

Bugs Also Addressed in WordPress 6.4.2 Update

WordPress has also addressed seven specific bugs in this 6.4.2 update. We have meticulously addressed the issues mentioned below through code updates and enhancements. 

1. Enhanced Browser Support with CSS Alignment Update

The 6.4.2 update refines CSS ‘align-item’ properties to ‘flex-start/flex-end’ from ‘start/end’, enhancing compatibility across diverse web browsers. This adjustment addresses the lack of universal support for the original values, ensuring a more consistent user experience. 

2. Streamlining Code by Removing Redundant Translator Comments

This 6.4.2 update involves cleaning up the code by removing or modifying irrelevant or potentially misleading comments for translators. This refinement helps ensure that only pertinent instructions and context are provided, streamlining the translation process. 

3. Adjustment in Theme’s Functions.php Handling Post WordPress 6.4

Following the WordPress 6.4 update, the ‘functions.php’ file handling in themes has been modified, particularly when the theme directory is repositioned using ‘register_theme_directory’. This update rectifies the issue, ensuring the ‘functions.php’ file is properly invoked, maintaining theme functionality. 

4. Correcting Docblock References for Theme Block Patterns

The 6.4.2 release amends inaccuracies in the docblock for the ‘_register_theme_block_patterns’ function. This correction provides precise references and information, enhancing the clarity and accuracy of the code documentation. 

5. Expanding Template Manipulation Capabilities

The WordPress 6.4.2 update extends the capabilities of template manipulation by exposing serialized content to ‘hooked_block_types’ filter callbacks. This enhancement allows for more dynamic and flexible template adjustments, improving website adaptability and functionality. 

6. Refining WP_HTML_Tag_Processor Class Example  

With the 6.4.2 update, WordPress provides an updated and accurate example for the ‘WP_HTML_Tag_Processor’ class, rectifying previous inaccuracies. This ensures developers have a reliable guide for effectively utilizing the class in their coding projects. 

7. Site Editor Logo Feature Update

The latest update improves and fixes the site editor’s logo feature. It focuses on enhancing logos handling, display, and editing within the site editor, aiming for a smoother and more intuitive user experience. 

The WordPress team has worked hard to ensure that each fix not only resolves the immediate problem but also contributes to the overall stability and performance of the CMS. Rigorous testing and community feedback have played a crucial role in shaping this update. 

Is there any need to go for a WordPress 6.4.2 Update?  

We urge all WordPress 6.4 users to update to 6.4.2 immediately. Why are we making such a request?  

Only WordPress versions 6.4 and 6.4.1 have been impacted by this problem; however, older versions of WordPress do not have it.  

The release of WordPress 6.4.2 is a proactive measure to prevent the exploitation of this vulnerability. By updating, you’re not just enhancing the features of your site; you’re fortifying its defenses against potential attacks that could exploit this flaw. It’s a critical step in maintaining the integrity and security of your online presence. 

So, if you are still running your sites on WordPress 6.4 or WordPress 6.4.1 platforms, it’s time to update them to the latest WordPress version.  

Upcoming Release

While the 6.4.2 release is the latest news, the WordPress team is always working on the next big thing. We can expect an early 2024 release of version 6.5. 

It promises to bring new features, further security enhancements, and performance improvements. So, once you’re updated to 6.4.2, watch for what’s coming next! 

How to Update to WordPress 6.4.2?

How to Update to WordPress 6.4.2?

Updating to WordPress 6.4.2 is straightforward. Most WordPress sites offer automatic updates to the latest WordPress version. But if you haven’t enabled automatic updates for your WordPress site — which we highly recommended — then you should manually update your site to the latest WordPress version, i.e., 6.4.2, as soon as possible. 

If your site doesn’t support automatic updates, you can update it manually from the WordPress Dashboard. Once you go to the Dashboard, navigate to Updates, and select the option to update to 6.4.2. 

You can also download WordPress 6.4.2 from the official website or visit the 6.4.2 documentation page. But if you’re facing issues with the WordPress 6.4.2 update, remember agencies like eWay Corp is just a call away!  

Our Thoughts

Staying updated with the latest WordPress version is crucial for enhancing the security and functionality of your website. If you haven’t already, take some time to update it to the latest WordPress version 6.4.2.  

Once updated, enjoy enhanced performance and complete peace of mind that comes with knowing your site is secure. For quick guidance and a hassle-free WordPress 6.4.2 update, you can get in touch with our WordPress wizards today!