WordPress, the most popular content management system used by more than 800 million sites, has released an update to version 6.4.2. This update addresses a Zero-day vulnerability that allows for the execution of arbitrary PHP code on the target website.
The vulnerability was discovered by the project security team and is related to a programming technique known as Property Oriented Programming (POP).
In the context of security, POP is often associated with vulnerabilities that arise during the process of deserialization of data. Deserialization is the conversion of data from a storage or transmission format (such as a string or file) back to programming language objects. If the data is not properly validated during deserialization, an attacker can manipulate the data in a way that leads to unwanted actions.
In the case of POP, the attacker utilizes the features of objects, such as magical methods (e.g., object constructors and destructors), and their properties to control the program’s execution. By manipulating object properties, the attacker can trigger specific methods and alter the program’s behavior, potentially leading to the execution of arbitrary code, unauthorized access to sensitive data, or other security incidents.