WordPress releases version 6.4.2, advising update because of critical vulnerability
Take action: Even WordPress asks you to update your site, so it definitely is worth the effort. It's a minor update, so don't delay. Patch now.
Learn More
WordPress has recently updated to version 6.4.2, addressing multiple functional bugs and one a critical vulnerability that could enable attackers to run arbitrary PHP code on websites, potentially leading to complete site control.
The flaw is linked to a new feature in version 6.4 aimed at enhancing HTML parsing in the block editor, and it affects only versions 6.4 and 6.4.1.
WordPress's official announcement highlighted the risk of this vulnerability, n conjunction with certain plugins and in multisite installations: "A Remote Code Execution vulnerability that is not directly exploitable in core, however the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installs."
WordPress hasn't released a CVE tracking code for the vulnerability nor provided further details, probably to give time to the general public to update their servers before more info enables hackers to make an exploit and automate attacks.
