via pluginvulnerabilities.com => original post link
The latest version of WordPress, 6.4.3, has created a lot of headaches for the WordPress community, as installing plugins by uploading most zipped copies of plugins that have been compressed on Macs are not working (and possibly zipped in some other situations). That is caused by fixing a vulnerability that was described in the release announcement as “a PHP File Upload bypass via Plugin Installer (requiring admin privileges).” That description isn’t clear, but seems rather odd. WordPress’ plugin installer intentionally allows uploading PHP files. It couldn’t work otherwise, as a WordPress plugin needs at least one PHP file. So how is this a vulnerability? It really isn’t.
So WordPress developers were fixing a vulnerability that really wasn’t a vulnerability and creating new problems. That seems like a bad trade to make. That is a larger problem than just this issue with WordPress. This often also occurs with WordPress plugins these days, when competitors of ours falsely claim there are vulnerabilities similar to the issue here and create unneeded headaches for others. [Read more]