A critical vulnerability has been discovered in the Icegram Express Pro plugin, which could allow a remote, unauthenticated attacker to take complete control of an affected website. The flaw stems from the insecure handling of data, enabling an attacker to inject malicious code that executes on the server. Successful exploitation could lead to a full system compromise, data theft, and significant service disruption.

The vulnerability is a Deserialization of Untrusted Data, which leads to a PHP Object Injection. The application accepts serialized data from an untrusted source and processes it without proper validation. An attacker can craft a malicious serialized payload (a "gadget chain") which, when deserialized by the application, can instantiate unexpected classes and trigger a chain of method calls, ultimately resulting in arbitrary code execution on the server. Exploitation likely requires no authentication, allowing a remote attacker to gain full control over the web server.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit would have a severe business impact, potentially leading to a complete compromise of the web server. The consequences include, but are not limited to, theft of sensitive data (such as customer information, PII, and payment details), website defacement, deployment of ransomware, or using the compromised server to launch further attacks. Such an incident could result in significant financial loss, reputational damage, and potential legal and regulatory penalties.

Immediate Action: Immediately update the Icegram Express Pro plugin to the latest version available from the vendor (a version later than 5.9.11). After patching, thoroughly monitor for exploitation attempts by reviewing web server and application access logs for any unusual or malicious-looking requests, particularly those made prior to the update.

Proactive Monitoring: Security teams should monitor for indicators of compromise. This includes inspecting inbound network traffic for suspicious POST requests containing serialized PHP objects (e.g., data starting with O:). Monitor for unexpected file modifications on the web server, unauthorized new processes, and unusual outbound network connections from the server.

Compensating Controls: If patching cannot be performed immediately, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block PHP object injection and deserialization attacks. Restrict access to any endpoints known to process serialized data. Additionally, ensure file integrity monitoring is in place to detect unauthorized changes to the application's codebase.

Public Exploit Available: false

Due to the critical severity of this vulnerability and the high likelihood of future exploitation, it is strongly recommended that organizations prioritize patching this vulnerability immediately. All instances of the Icegram Express Pro plugin should be updated without delay. Although this CVE is not currently on the CISA KEV list, its high-impact nature makes it a prime candidate for future inclusion and a top target for attackers. Treat this as an emergency and apply the necessary updates to all affected systems to prevent a potential compromise.