The WordPress 6.4.3 Security Update – What You Need to Know

Today, January 30, 2024, WordPress released version 6.4.3, which contains two security patches for longstanding, albeit minor, security concerns in WordPress Core.

The first patch addresses an issue that allows users with Administrator (or Super Administrator on Multisite) privileges to upload PHP files directly to a site via the Plugin and Theme file upload mechanism. This is only a concern in heavily locked-down configurations that disallow Administrators and Super Administrators from installing plugins and themes via a separate mechanism. Wordfence has tracked this as a low-priority informational security alert since August 2023, though it has been public since August 2018.

The second patch addresses the way that options are stored – it first sanitizes them before checking the data type of the option – arrays and objects are serialized, as well as already serialized data, which is serialized again. While this already happens when options are updated, it was not performed during site installation, initialization, or upgrade. According to the 6.4.3 release post, this is intended to address a potential PHP Object Injection issue.

Both issues appear to require a highly privileged user or an attacker stumbling upon a site with an incomplete installation to exploit, and are likely to impact few WordPress sites in the real world.

Both patches have been backported to version 4.1 and later of WordPress.

Conclusion

The WordPress 6.4.3 security patches addressed two minor issues in WordPress core and can primarily be considered increased hardening, as the circumstances in which they are likely to have a security impact are incredibly rare. Nonetheless, we recommend updating in a reasonable time frame, especially if your site relies on a hardened configuration due to regulatory requirements.

This article was written by Ramuel Gall, a former Wordfence Senior Security Researcher.