A critical vulnerability has been identified in the manfcarlo WP Funnel Manager plugin for WordPress. This flaw, rated 9.8 out of 10, allows an unauthenticated attacker to inject malicious code by sending specially crafted data to an affected website, potentially leading to a complete system compromise, data theft, and website defacement. Immediate patching is required to mitigate the significant risk posed by this vulnerability.

The vulnerability is a Deserialization of Untrusted Data issue. The WP Funnel Manager plugin improperly handles serialized data from user-supplied input. An attacker can submit a malicious serialized PHP object, and when the application deserializes this data, it can trigger the execution of arbitrary code on the server. This type of attack, known as a PHP Object Injection, can be exploited remotely without requiring any authentication, leading to a full compromise of the underlying web server.

This vulnerability is of critical severity with a CVSS score of 9.8, indicating a high likelihood of exploitation with a severe impact. Successful exploitation could grant an attacker complete control over the affected web server. Potential consequences include the theft of sensitive data (customer information, user credentials, payment details), installation of malware or ransomware, website defacement, and using the compromised server to launch further attacks. Such an incident could result in significant financial loss, reputational damage, and regulatory penalties.

Immediate Action: Immediately update the manfcarlo WP Funnel Manager plugin to the latest version available (a version later than 1.4.0) which contains the security patch for this vulnerability. After updating, monitor system and web server access logs for any signs of compromise or unusual activity that may have occurred prior to the patch.

Proactive Monitoring: Review web server access logs for suspicious POST requests containing long, complex strings, which may indicate serialized PHP object payloads. Monitor for unexpected processes spawned by the web server user (e.g., www-data, apache). File Integrity Monitoring (FIM) should be used to detect the creation of unauthorized files, such as web shells, in the web root directory.

Compensating Controls: If immediate patching is not feasible, consider the following temporary measures:

• Disable the WP Funnel Manager plugin until it can be safely updated.
• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block PHP object injection and deserialization attacks.
• Restrict access to the web server from untrusted IP addresses if possible, although this may not be effective against a determined attacker.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability, we strongly recommend that organizations prioritize the immediate update of the manfcarlo WP Funnel Manager plugin on all affected WordPress sites. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its high score makes it a prime target for opportunistic attackers. Delaying remediation exposes the organization to an unacceptable level of risk for a full system compromise.