A critical vulnerability has been identified in a popular WordPress plugin used for managing form data, which could allow an unauthenticated attacker to take complete control of an affected website. Successful exploitation could lead to total system compromise, resulting in data theft, website defacement, and further attacks originating from the compromised server. Due to the high severity, immediate patching is required to mitigate this significant risk.

The plugin is vulnerable to PHP Object Injection. This flaw occurs because the application deserializes user-supplied input without proper validation. An unauthenticated attacker can craft a malicious serialized PHP object and submit it to the application, which, when processed, can trigger a "Property Oriented Programming" (POP) chain to execute arbitrary code, manipulate files, or interact with the underlying database, all within the security context of the web server.

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high potential for widespread and severe damage. Exploitation could lead to a complete compromise of the WordPress application and the underlying server. Potential consequences include the theft of sensitive data submitted through web forms (e.g., PII, credentials), website defacement causing reputational harm, distribution of malware to site visitors, and the use of the compromised server as a pivot point for launching further attacks against the organization's internal network.

Immediate Action: Immediately update The Database for Contact Form Multiple Products plugin to the latest available version (greater than 1.4.3) across all WordPress instances. After patching, thoroughly review web server and application access logs for any signs of suspicious activity or exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Implement continuous monitoring of web server access logs for unusual POST requests, particularly those containing serialized PHP object strings (e.g., data starting with O:). Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block PHP Object Injection attack patterns. Monitor WordPress audit logs for unauthorized changes, such as new admin accounts, plugin modifications, or unexpected file uploads.

Compensating Controls: If patching is not immediately possible, disable and deactivate the vulnerable plugin until an update can be applied. If the plugin is mission-critical and cannot be disabled, deploy a WAF with strict, targeted rules to block malicious serialized payloads. Additionally, harden web server file permissions to limit the impact of a potential code execution event.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability poses a direct and immediate threat to the confidentiality, integrity, and availability of affected websites. Although not currently listed on the CISA KEV catalog, the severity and potential for unauthenticated remote code execution demand urgent attention. We strongly recommend all organizations apply the vendor-supplied patch to all affected systems as a top priority to prevent a full system compromise.