A high-severity vulnerability has been identified in the "Live Composer – Free WordPress Website Builder" plugin. This flaw, known as PHP Object Injection, could allow a remote attacker to execute arbitrary code on the server, potentially leading to a complete compromise of the affected website, data theft, and further network intrusion. Organizations using this plugin are at significant risk and should take immediate action to mitigate this threat.

The vulnerability is a PHP Object Injection flaw. It exists because the application deserializes untrusted user-supplied data without sufficient validation. An attacker can craft a malicious serialized PHP object and submit it to the application. When the unserialize() function processes this object, it can trigger a "Property-Oriented Programming" (POP) chain, which leverages existing code "gadgets" within the application's codebase to perform unintended actions, ultimately leading to arbitrary code execution, file manipulation, or other malicious activities.

This vulnerability is rated as High severity with a CVSS score of 7.5. A successful exploit could result in a complete compromise of the web server's confidentiality, integrity, and availability. Potential consequences include the theft of sensitive data such as customer information or payment details, website defacement, injection of malware to attack site visitors, or the use of the compromised server as a pivot point for further attacks into the organization's internal network. These impacts can lead to significant reputational damage, financial loss, and regulatory penalties.

Immediate Action: Immediately update the "Live Composer – Free WordPress Website Builder" plugin to the latest version provided by the vendor, which addresses this vulnerability. If the plugin is not critical to business operations, the recommended course of action is to disable and completely remove it to eliminate the attack surface.

Proactive Monitoring: Monitor web server access logs for unusual POST requests, particularly those containing long, encoded strings or patterns indicative of serialized PHP objects (e.g., O:, a:, s:). Implement file integrity monitoring to detect unauthorized changes to WordPress core files, themes, or plugins. Scrutinize system logs for unexpected process execution originating from the web server process (e.g., www-data, apache).

Compensating Controls: If patching cannot be performed immediately, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block PHP Object Injection attempts. Restrict access to the WordPress administrative dashboard to trusted IP addresses only. Consider disabling the unserialize() function for user-supplied input where possible, though this may impact legitimate plugin functionality.

Public Exploit Available: false

Given the high severity (CVSS 7.5) of this vulnerability and the potential for complete system compromise, immediate remediation is strongly recommended. Organizations must prioritize updating or removing the affected "Live Composer" plugin across all WordPress instances. Although this vulnerability is not currently listed on the CISA KEV list, its high impact makes it a prime candidate for future inclusion if widespread exploitation occurs. Proactive patching is the most effective defense to prevent compromise.