WordPress Releases Patch for Critical Remote Code Execution Vulnerability

Qualys Security Advisory

Multiple versions of WordPress are affected by a remote code execution vulnerability. An attacker may chain the vulnerability with another vulnerability to run arbitrary PHP code on the target website.

WordPress is among the most popularly used content management systems. The open-source CMS helps in creating and managing websites. WordPress supports publishing web content, including mailing lists, Internet forums, media galleries, membership sites, learning management systems, and online stores.

Vulnerability Details

The vulnerability is not directly exploitable in the core; however, the flaw produces a severe threat when combined with some plugins, especially in multisite installations. Researchers have discovered Property Oriented Programming (POP) chain vulnerability in WordPress core that may lead to code execution.

The flaw exists in the WP_HTML_Token class, which is used to improve HTML parsing in the block editor. The class contains a __destruct method that is executed after PHP request processing. The __destruct method uses call_user_func to execute the function provided by the on_destroy property, accepting the bookmark_name property as an argument.

By exploiting an Object Injection vulnerability, an attacker will gain complete control over the on_destroy and bookmark_name properties, allowing them to easily take over the website by executing arbitrary code.

Although there aren’t any known object injection vulnerabilities in WordPress Core currently, there are plenty in other plugins and themes. The threat to any Object Injection vulnerability is significantly increased by the easy-to-exploit POP chain included in the core of WordPress.

Affected Versions

The vulnerability affects WordPress versions before 6.4.2.


Customers are requested to upgrade to WordPress version 6.4.2 or later to patch this vulnerability.

WordPress said in the advisory, “WordPress 6.4.2 is a short-cycle release. The next major release will be version 6.5, released in early 2024.”

For more information about the mitigation, please refer to WordPress Security Advisory.

Qualys Detection

Qualys customers can scan their devices with QID 731004 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.