---
licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0)
licence_link: https://creativecommons.org/licenses/by/4.0/
licence_restrictions: https://cert.europa.eu/legal-notice
licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies
title: 'High Severity Vulnerability in WordPress'
number: '2023-096'
version: '1.0'
original_date: 'December 6, 2023'
date: 'December 11, 2023'
---
_History:_
* _11/12/2023 --- v1.0 -- Initial publication_
# Summary
On December 6, 2023, WordPress released a new version addressing a vulnerability that, if combined with another vulnerability, could result in remote code execution [1].
While most sites should automatically update to WordPress 6.4.2, it is strongly recommended manually checking WordPress sites to ensure that it is updated.
# Technical Details
The vulnerability is a property-oriented programming (POP) chain issue identified in a class introduced to improve HTML parsing in the block editor. The vulnerable class includes a function that is executed automatically after PHP has processed a request, and which uses properties that an attacker may have full control of [2].
It can be combined with a different object injection flaw, allowing attackers to execute PHP code on vulnerable websites. While WordPress Core currently does not have any known object injection vulnerabilities, the WordPress security team feels that there is potential for high severity when combined with some plugins, especially in multi-site installations.
# Affected Products
This vulnerability affects WordPress version 6.4 until 6.4.2 (excluded).
# Recommendations
It is strongly recommended manually checking WordPress sites to ensure that it is updated, and if not, It is strongly recommended updating it.
# References
[1]
[2]
[3]