A critical remote code execution vulnerability has been patched as part of the WordPress 6.4.2 version. This vulnerability exists in the POP chain introduced in version 6.4, which can be combined with a separate Object Injection, resulting in the execution of arbitrary PHP code on the website.

Source: GBHackers