
Find real vulnerabilities before they ship
WordPress is an open publishing platform for the Web. Unserialization of instances of the `WP_HTML_Token` class allows for code execution via its `__destruct()` magic method. This issue was fixed in WordPress 6.4.2 on December 6th, 2023. Versions prior to 6.4.0 are not affected.
Base Score
9.8| Base Score | 9.8 |
|---|---|
| Vector String | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Base Severity | Critical |
| Version | 3.1 |
| Attack Vector (AV) | NETWORK |