A high-severity vulnerability has been identified in the "Constant Contact for WordPress" plugin, which allows for remote code execution. An attacker could exploit this flaw by sending specially crafted data to a vulnerable website, potentially leading to a complete system compromise, data theft, and website defacement. Organizations using this plugin are at significant risk and must take immediate action to apply the necessary updates.

The vulnerability is a Deserialization of Untrusted Data, which leads to a PHP Object Injection. The plugin fails to properly sanitize user-supplied data before it is processed by the unserialize() PHP function. An unauthenticated attacker can craft a malicious serialized object and send it to a vulnerable endpoint within the plugin, which, when deserialized by the application, can trigger a "property-oriented programming" (POP) chain to execute arbitrary code on the underlying server in the context of the web server user.

This vulnerability is rated as High severity with a CVSS score of 8.8. A successful exploit could result in a complete compromise of the affected WordPress website. Potential consequences include theft of sensitive data such as customer information and user credentials, website defacement, installation of backdoors or malware for persistent access, and using the compromised server to launch further attacks. Such an incident could lead to significant reputational damage, financial loss, and potential regulatory penalties for data breaches.

Immediate Action: Update the "Constant Contact for WordPress" plugin to the latest version provided by the vendor immediately. After updating, review all WordPress security settings, plugins, and themes. If the plugin is no longer required for business operations, it should be deactivated and completely removed to reduce the overall attack surface.

Proactive Monitoring: Monitor web server access logs for unusual POST requests directed at the plugin's endpoints, particularly those containing long, encoded strings indicative of serialized objects. Implement file integrity monitoring to detect unauthorized changes to WordPress core files, themes, or plugins. Analyze outbound network traffic from the web server for suspicious connections, which could indicate a successful compromise.

Compensating Controls: If patching is not immediately possible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block PHP object injection and deserialization attacks. Restrict access to the WordPress administrative interface to trusted IP addresses. Harden the server environment by disabling unnecessary PHP functions that are often used in exploit chains (e.g., exec(), shell_exec(), system()).

Public Exploit Available: false

Given the high CVSS score of 8.8 and the potential for remote code execution, this vulnerability poses a critical risk to the organization. Although this CVE is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity warrants immediate attention. We strongly recommend that all system administrators identify WordPress instances running the vulnerable "Constant Contact for WordPress" plugin and apply the vendor-supplied patches or remove the plugin without delay to prevent potential compromise.