Since our last report, 204 new plugin vulnerabilities and one in WordPress core have been publicly disclosed. Security patches for WordPress core and 124 plugins are available now, so run those updates as soon as possible. If you�re a Solid Security Pro user and have activated version management, any vulnerable plugins with security updates available may have had them applied automatically.
Additionally, there are 80 plugin vulnerabilities with no patch available yet. If you�re a Solid Security Pro user, those vulnerabilities are already protected by the Solid Security firewall. Virtual patches from Patchstack will be applied when a vulnerability is considered high or medium risk. If no patch is forthcoming from the vendor or the vulnerable software has been marked �closed� and dropped from the official WordPress repositories, you should deactivate it soon and look for alternative solutions.
WordPress Core � Security Update!
WordPress 6.4.2 was released on December 6, 2023, as a short-cycle maintenance and security release with seven bug fixes and one security patch for a potential Remote Code Execution (RCE) vulnerability that is not directly exploitable in most situations. However, combined with certain vulnerabilities in third-party plugins on a multisite network, this vulnerability could be exploited and pose a high-severity risk. The 6.4.1 update will prevent PHP object injections from being chained into a potential RCE, according to details published by Patchstack.
WordPress 6.4.1 was released on November 8, 2023, as a short-cycle maintenance release to address several bugs, including loss of backward compatibility with a dependency, cURL 7.29 or earlier. This broke the WordPress internal update facility on servers running very old, insecure cURL versions.
WordPress 6.4 was released on November 7, 2023, as the third major release of the year. Following a major release, you should not update live sites without taking backups and testing the update in a non-production environment first.