Peterwilsoncc

**Name of the Vulnerable Software and Affected Versions** WordPress versions 6.4.0 through 6.4.1 **Description** The issue allows for code execution via the ` destruct()` magic method of the `WP HTML Token` class when unserializing its instances. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. **Recommendations** For versions 6.4.0 through 6.4.1, update to WordPress 6.4.2 or later to resolve the issue. As a temporary workaround, consider disabling the unserialization of `WP HTML Token` class instances until a patch is available.

**Name of the Vulnerable Software and Affected Versions** WordPress versions prior to 6.4.3 WordPress versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 2.8.24, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, and 4.1.40 **Description** The issue allows an administrative user to submit a file of a type other than a zip file as a new plugin, potentially leading to remote code execution (RCE) if the `DISALLOW FILE EDIT` constant is set to `true` and FTP credentials are required. This affects Administrator level users on single site installations and Super Admin level users on Multisite installations. The issue does not affect lower level users or sites where the `DISALLOW FILE MODS` constant is set to `true`. **Recommendations** Update to WordPress version 6.4.3 or later. For versions 6.3.3, 6.2.4, 6.1.5, 6.0.7, 5.9.9, 5.8.9, 5.7.11, 5.6.13, 5.5.14, 5.4.15, 5.3.17, 5.2.20, 5.1.18, 5.0.21, 4.9.25, 2.8.24, 4.7.28, 4.6.28, 4.5.31, 4.4.32, 4.3.33, 4.2.37, and 4.1.40, update to the respective backported version. As a temporary workaround, consider defining the `DISALLOW FILE MODS` constant as `true` to prevent plugin uploads.