PSA: Critical POP Chain Allowing Remote Code Execution Patched in WordPress 6.4.2

WordPress 6.4.2 was released today, on December 6, 2023. It includes a patch for a POP chain introduced in version 6.4 that, combined with a separate Object Injection vulnerability, could result in a Critical-Severity vulnerability allowing attackers to execute arbitrary PHP code on the site.

We urge all WordPress users to update to 6.4.2 immediately, as this issue could allow full site takeover if another vulnerability is present.

Technical Analysis

We’ve written about Object Injection vulnerabilities in the past, and the primary reason most Object Injection vulnerabilities are difficult to exploit is the lack of useful POP chains.

The problem here resides in the WP_HTML_Token class, which was introduced in WordPress 6.4 and is used to improve HTML parsing in the block editor. It includes a __destruct magic method that is automatically executed after PHP has processed the request. This __destruct method uses call_user_func to execute the function passed in through the on_destroy property, accepting the bookmark_name property as an argument:

public function __destruct() {
    if ( is_callable( $this->on_destroy ) ) {
        call_user_func( $this->on_destroy, $this->bookmark_name );

Since an attacker able to exploit an Object Injection vulnerability would have full control over the on_destroy and bookmark_name properties, they can use this to execute arbitrary code on the site to easily gain full control.

While WordPress Core currently does not have any known object injection vulnerabilities, they are rampant in other plugins and themes. The presence of an easy-to-exploit POP chain in WordPress core substantially increases the danger level of any Object Injection vulnerability.

The patch is very simple:

public function __wakeup() {
   throw new \LogicException( __CLASS__ . ' should never be unserialized' );

The newly added __wakeup method ensures that any serialized object with the WP_HTML_Token class throws an error as soon as it is unserialized, preventing the __destruct function from executing.

We have released a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response users. Wordfence free users will receive the same protection in 30 days, on January 5, 2024.


In today’s PSA, we analyzed a patch for a potentially critical issue in WordPress 6.4-6.4.1 that could allow attackers to take advantage of any Object Injection vulnerability present in any plugin to execute code. While most sites should automatically update to WordPress 6.4.2, we strongly recommend manually checking your site to ensure that it is updated.

We recommend sharing this advisory with everyone you know who uses WordPress, as this is a potentially critical issue that could lead to complete site takeover.

Did you know that Wordfence has a Bug Bounty Program? We’ve recently increased our bounties by 6.25x until December 20th, 2023, with our bounties for the most critical vulnerabilities reaching $10,000 USD! If you’re an aspiring or current vulnerability researcher, click here to sign up.

This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.

Did you enjoy this post? Share it!


  • Thanks with your update.

  • In which file will we add the patch code?

    • Hi micheal,

      The patch is applied automatically by updating to WordPress 6.4.2 - there is no need to manually patch.