A high-severity Untrusted Data Deserialization vulnerability in the WP Easy Contact WordPress plugin allows for Object Injection, which could lead to remote code execution and a complete compromise of the web server.

The plugin is vulnerable to Deserialization of Untrusted Data. It improperly handles serialized data from user input, allowing an attacker to submit a crafted payload. When this payload is deserialized by the application, it can result in an Object Injection attack, potentially leading to arbitrary code execution on the server.

This vulnerability is rated 8.1 (High) on the CVSS scale, indicating a severe risk. A successful exploit could grant an attacker the ability to execute arbitrary commands on the server with the permissions of the web process. This would allow them to steal or delete all website data, deface the site, or use the server as a foothold to attack the internal network.

Immediate Action: Immediately update the WP Easy Contact plugin to the latest patched version available from the vendor. If no patch exists, the plugin must be disabled and uninstalled.

Proactive Monitoring: Analyze web server request logs for long, complex data strings characteristic of serialized PHP objects. Implement file integrity monitoring to detect the creation of malicious files (e.g., web shells) on the server.

Compensating Controls: A Web Application Firewall (WAF) may be able to identify and block generic object injection attack signatures. Hardening server permissions can limit an attacker's ability to cause damage post-exploitation.

Public Exploit Available: false

The potential for remote code execution makes this a critical vulnerability that requires immediate action. A full server compromise is a likely outcome of a successful attack. All administrators using this plugin must update or remove it immediately to mitigate this threat.