A high-severity vulnerability has been identified in the "Employee Directory – Staff Listing & Team Directory" WordPress plugin. This flaw allows an attacker to inject malicious code by sending specially crafted data, potentially leading to a full compromise of the affected website. Successful exploitation could result in data theft, website defacement, or the server being used for further malicious activities.

The vulnerability is an Insecure Deserialization of Untrusted Data. The affected plugin improperly handles serialized data received from a user. An attacker can craft a malicious data object and send it to the application; when the plugin deserializes (unpacks) this object, it can be forced to execute arbitrary code or commands in the context of the web server. This is known as an Object Injection attack and can lead to Remote Code Execution (RCE), giving the attacker significant control over the website and underlying server.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could lead to severe business consequences, including the compromise of sensitive company or customer data stored on the website, unauthorized access to the server, and reputational damage from website defacement. A compromised website could also be used to launch further attacks against visitors or internal networks, posing a significant risk to the organization's security posture and potentially leading to regulatory penalties and financial loss.

Immediate Action:

• Immediately update the "Employee Directory – Staff Listing & Team Directory" plugin to the latest patched version provided by the vendor.
• If the plugin is not essential for business operations, the recommended course of action is to deactivate and completely remove it to eliminate the attack surface.
• Review all WordPress security settings to ensure they align with best practices for hardening the platform.

Proactive Monitoring:

• Monitor web server access logs for unusual POST requests or requests containing suspicious serialized data strings.
• Check for the creation of unexpected files (e.g., PHP web shells) within the WordPress installation directories.
• Monitor for unexpected outbound network connections from the web server, which could indicate a compromise.

Compensating Controls:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block object injection and deserialization attacks.
• Restrict administrative access to the WordPress dashboard to trusted IP addresses only.
• If immediate patching is not possible, disable the vulnerable plugin until a maintenance window is available.

Public Exploit Available: false

Given the high CVSS score of 8.1 and the potential for complete system compromise, this vulnerability poses a critical risk to the organization. Although it is not currently listed on the CISA KEV catalog, its severity warrants immediate attention. We strongly recommend that all system administrators identify installations of the affected plugin and apply the vendor-supplied patch or remove the plugin without delay to mitigate the risk of exploitation.