Impact
Unserialization of instances of the WP_HTML_Token class allows for code execution via its __destruct() magic method.
Patches
This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.
References
This vulnerability was not responsibly disclosed to the WordPress security team and was published publicly as a zero-day vulnerability. Find out more about responsibly reporting security vulnerabilities.
Impact
Unserialization of instances of the
WP_HTML_Tokenclass allows for code execution via its__destruct()magic method.Patches
This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.
References
This vulnerability was not responsibly disclosed to the WordPress security team and was published publicly as a zero-day vulnerability. Find out more about responsibly reporting security vulnerabilities.