A critical vulnerability has been identified in the WP Gravity Forms FreshDesk Plugin for WordPress, which could allow an unauthenticated attacker to take complete control of an affected website. The flaw stems from the insecure processing of user-supplied data, enabling an attacker to execute arbitrary code and compromise the server's confidentiality, integrity, and availability. Due to the high severity (CVSS 9.8), immediate remediation is required to prevent potential system compromise.

The vulnerability is classified as Deserialization of Untrusted Data, leading to PHP Object Injection. The application insecurely deserializes user-provided data without proper validation. An attacker can exploit this by sending a specially crafted serialized data string to an endpoint handled by the plugin. When the application's unserialize() function processes this malicious string, it can instantiate arbitrary objects, which can in turn trigger a "Property Oriented Programming" (POP) chain to execute arbitrary code, manipulate files, or interact with the database, resulting in a full compromise of the web application.

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high potential for significant business disruption. Successful exploitation could lead to a complete takeover of the affected website and underlying server. The potential consequences include theft of sensitive data (such as customer information from Gravity Forms submissions), website defacement, distribution of malware to visitors, and using the compromised server to launch further attacks. Such an incident could result in severe reputational damage, financial loss, and regulatory penalties.

Immediate Action: Immediately update the WP Gravity Forms FreshDesk Plugin to the latest version available from the vendor (a version greater than 1.3.5). After updating, monitor web server access logs and application logs for any signs of exploitation attempts that may have occurred prior to patching.

Proactive Monitoring: Security teams should actively monitor web server and WAF (Web Application Firewall) logs for suspicious POST requests containing serialized PHP object strings (e.g., patterns starting with O:). Monitor the file system for any unexpected or recently modified PHP files within the WordPress installation directory, which could indicate the presence of a web shell.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block PHP object injection and deserialization attacks. Restrict access to endpoints associated with the plugin if they are not required for public use.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability poses a severe risk to any organization using the affected plugin. Although it is not currently listed on the CISA KEV catalog and no public exploits are available, the potential for a full system compromise necessitates immediate action. We strongly recommend that all administrators identify instances of the WP Gravity Forms FreshDesk Plugin and apply the vendor-supplied security update without delay to mitigate this threat.