A critical Deserialization of Untrusted Data vulnerability in the BestWpDeveloper WooCommerce Product Multi-Action plugin allows an unauthenticated attacker to achieve remote code execution.

An unauthenticated attacker can exploit an Object Injection flaw stemming from the insecure deserialization of untrusted data. This vulnerability allows for the execution of arbitrary code on the affected server without requiring any prior authentication or privileges.

A successful exploit could lead to a full system compromise, allowing an attacker to steal sensitive customer data, install malware, or deface the website. The assigned Critical CVSS score of 9.8 reflects the high risk of a complete loss of confidentiality, integrity, and availability, which could result in significant financial and reputational damage.

Immediate Action: Administrators must immediately update the WooCommerce Product Multi-Action plugin to a patched version. Consult the vendor's advisory for the specific fixed version number.

Proactive Monitoring: Review web server access logs for unusual POST requests targeting the plugin's functionality. Monitor for unexpected file modifications or unauthorized processes running on the server.

Compensating Controls: If immediate patching is not feasible, implement strict Web Application Firewall (WAF) rules to inspect and block serialized PHP objects in incoming requests as a temporary mitigation.

Public Exploit Available: No

Given the critical severity (CVSS 9.8) and the potential for unauthenticated remote code execution, this vulnerability poses an immediate and severe threat to affected systems. We strongly recommend that all administrators prioritize applying the vendor-supplied update without delay to prevent a potential system compromise.