WordPress 6.4.2 has been released as a critical security update, and all developers and site owners are strongly advised to update their WordPress installations immediately.
What Was Patched?
This urgent release addresses several high-severity vulnerabilities that pose significant risks to site security:
- Remote Code Execution (RCE): A potential RCE flaw discovered in a bundled library. RCE vulnerabilities allow attackers to execute arbitrary code on the server, potentially leading to full site compromise.
- Object Injection: An Object Injection vulnerability, which can be leveraged for various malicious purposes, including remote code execution in specific scenarios.
- Cross-Site Scripting (XSS): Two separate Cross-Site Scripting (XSS) issues, which could allow attackers to inject malicious scripts into trusted websites, impacting user sessions and data integrity.
The severity of these patches, especially the RCE and Object Injection flaws, underscores the urgency of updating. Failing to update leaves your sites vulnerable to sophisticated attacks that could lead to data breaches, unauthorized access, and complete control over your WordPress installation.
Action Required: Log into your WordPress dashboard and update to version 6.4.2 without delay. For those managing multiple sites, prioritize immediate updates across all properties to mitigate risks and ensure site security.
