A high-severity vulnerability has been identified in the "Friends" plugin for WordPress, which could allow an unauthenticated attacker to inject malicious code into a website. Successful exploitation could lead to a complete site takeover, theft of sensitive data, or service disruption for any organization utilizing this plugin. Due to the critical nature of this flaw, immediate remediation is strongly recommended to protect web assets.

The vulnerability is a PHP Object Injection flaw. It occurs because the plugin improperly handles user-supplied data by passing it to the unserialize() PHP function. An attacker can craft a malicious serialized string containing a "gadget chain"—a sequence of objects from the application's codebase—that, when deserialized, will execute arbitrary commands or actions on the server. Exploitation requires the attacker to send a specially crafted request to the vulnerable component of the plugin, potentially allowing for remote code execution, file manipulation, or complete system compromise.

This vulnerability is rated as High severity with a CVSS score of 7.5. A successful attack could have significant business consequences, including the theft of sensitive company or customer data, leading to regulatory fines and reputational damage. An attacker could deface the website, disrupt business operations by making the site unavailable, or install backdoors to maintain persistent access. The compromised server could also be used to launch further attacks against other internal or external systems, posing a broader security risk to the organization.

Immediate Action: The primary remediation is to update the affected "Friends" plugin to the latest patched version immediately. If the plugin is not essential for business operations, it should be deactivated and completely removed from the WordPress installation to eliminate the attack surface. Additionally, a review of all WordPress security settings is recommended to ensure a hardened posture.

Proactive Monitoring:

• Web Server Logs: Monitor Apache/Nginx access logs for unusual POST requests containing long, encoded strings, which may indicate attempts to submit serialized PHP objects.
• PHP Error Logs: Check PHP error logs for warnings or errors related to the unserialize() function or unexpected class behavior.
• File Integrity Monitoring (FIM): Use FIM to detect unauthorized changes to WordPress core, plugin, or theme files, or the creation of suspicious new files in web directories.

Compensating Controls:

• Web Application Firewall (WAF): Implement a WAF with a ruleset designed to detect and block PHP Object Injection attack patterns in incoming traffic.
• Principle of Least Privilege: Ensure the web server's user account has the minimum permissions necessary to function, restricting an attacker's ability to read/write sensitive files outside the web root.
• Disable Vulnerable Functions: If feasible for the application, consider disabling the unserialize() function via the php.ini configuration to prevent this class of attack, though this may cause application instability.

Public Exploit Available: false

Given the high severity (CVSS 7.5) of this vulnerability and its potential for remote code execution, we recommend that organizations treat this as a critical priority. All internet-facing WordPress sites using the "Friends" plugin should be patched immediately. Although there is no current evidence of active exploitation, the risk of a future attack is high. If patching cannot be performed immediately, the compensating controls listed above, particularly the use of a WAF, should be implemented as an interim measure.