A high-severity vulnerability has been identified in the ConveyThis Language Translate Widget for WordPress. This flaw allows an attacker to send specially crafted data to a website, tricking it into executing malicious code, which could lead to a complete compromise of the website, data theft, or further attacks launched from the infected server.

The vulnerability is an Insecure Deserialization of Untrusted Data, leading to PHP Object Injection. An unauthenticated attacker can send a specially crafted serialized PHP object within an HTTP request to an endpoint managed by the ConveyThis plugin. The application deserializes this data without proper validation, which instantiates the malicious object in memory. This can trigger PHP "magic methods" (e.g., __wakeup(), __destruct()) which, when combined with existing code classes ("gadget chains") on the server, can result in arbitrary code execution, file manipulation, or sensitive information disclosure.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could have a significant negative impact on the business. An attacker could take full control of the affected website, leading to website defacement, theft of sensitive customer or business data, and installation of persistent backdoors. This poses a direct risk to brand reputation, customer trust, and operational integrity, potentially resulting in financial loss and regulatory penalties related to data breaches.

Immediate Action:

• Immediately update the "ConveyThis Language Translate Widget" plugin to the latest patched version on all WordPress sites.
• If the plugin is not essential for business operations, the most secure course of action is to disable and completely remove it.
• Review WordPress security hardening settings to ensure they align with best practices.

Proactive Monitoring:

• Monitor web server access logs for unusual POST requests, specifically looking for payloads containing serialized PHP object strings (e.g., patterns starting with O: or a:).
• Implement file integrity monitoring to detect unauthorized changes to WordPress core files, themes, or plugins.
• Monitor for unusual outbound network traffic from the web server, which could indicate a successful compromise.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block PHP object injection and deserialization attack patterns.
• Restrict access to the WordPress administrative dashboard (/wp-admin/) to trusted IP addresses.
• Ensure regular, automated backups of the website are being performed and are stored securely offline.

Public Exploit Available: false

Given the high severity (CVSS 7.2) of this vulnerability and its potential for full site compromise, immediate action is strongly recommended. Organizations must prioritize applying the vendor-supplied patch to the ConveyThis plugin across all relevant web properties without delay. Although this CVE is not currently listed on the CISA KEV list, its high impact warrants urgent attention to prevent potential exploitation. A full audit of all installed WordPress plugins should also be conducted to identify and mitigate similar risks.