A critical vulnerability has been identified in the WP Gravity Forms Constant Contact Plugin for WordPress, which could allow an unauthenticated attacker to take complete control of an affected website. The flaw, a result of deserializing untrusted data, can be exploited to execute arbitrary code, leading to potential data theft, website defacement, or further network compromise. Immediate patching is required to mitigate this high-risk threat.

The vulnerability is an Insecure Deserialization flaw. The plugin improperly handles serialized data submitted by a user. An attacker can craft a malicious serialized object and send it to the application; when the plugin deserializes this data, it can trigger a "property-oriented programming" (POP) chain, leading to the execution of arbitrary code on the underlying web server with the privileges of the web service account. This type of attack typically does not require authentication.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the web server hosting the WordPress site. The potential consequences include theft of sensitive data submitted through forms (such as PII and customer information), unauthorized modification or deletion of website content, and using the compromised server as a launch point for further attacks against the internal network. This poses a severe risk to data confidentiality, integrity, and availability, potentially resulting in significant financial loss, reputational damage, and regulatory penalties.

Immediate Action: Immediately update the WP Gravity Forms Constant Contact Plugin to the latest version available (a version greater than 1.1.2). After patching, monitor for any signs of exploitation attempts by reviewing web server access logs and application logs for unusual requests or errors.

Proactive Monitoring: Security teams should monitor for POST requests containing serialized PHP objects (e.g., patterns like O:4:"...) in web server access logs. Monitor for unexpected process execution by the web server's user account (e.g., www-data, apache) and any unusual outbound network connections from the web server, which could indicate a successful compromise.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block PHP object injection and deserialization attacks. Restrict access to the plugin's functionality if possible, and ensure the web server process is running with the lowest possible privileges to limit the impact of a potential compromise.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability represents a significant and immediate threat to the organization. We strongly recommend that all WordPress sites using the affected plugin be patched immediately, without delay. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity dictates that it should be treated with the highest priority, as it is a prime target for opportunistic and targeted attacks. Organizations should assume active exploitation is imminent and act accordingly.