A high-severity vulnerability has been identified in the "Redirection for Contact Form 7" plugin for WordPress. This flaw, a PHP Object Injection, could allow an unauthenticated attacker to inject malicious code by sending a specially crafted request. Successful exploitation could lead to a full compromise of the affected website, resulting in data theft, website defacement, or further attacks on the network.

The vulnerability is a PHP Object Injection flaw that exists due to the insecure deserialization of user-supplied data. An attacker can provide a malicious, serialized PHP object as input to the plugin. When the application's unserialize() function processes this object, it can trigger a "Property Oriented Programming" (POP) chain, which leverages existing code within the application ("gadgets") to perform unintended actions, such as arbitrary file writes, SQL injection, or remote code execution.

This vulnerability is rated as High severity with a CVSS score of 7.5. A successful exploit could have significant negative consequences for the business. An attacker could gain full administrative control over the WordPress site, leading to the theft of sensitive data, including customer information, user credentials, and proprietary business data. Further impacts include severe reputational damage from website defacement, financial loss due to remediation costs and potential regulatory fines, and the risk of the compromised website being used to distribute malware or launch phishing attacks against customers.

Immediate Action:

• Immediately update the "Redirection for Contact Form 7" plugin to the latest patched version provided by the vendor.
• If the plugin is not essential for business operations, consider deactivating and uninstalling it completely to eliminate this attack vector.
• Review all WordPress user accounts for any unauthorized additions or privilege escalations.

Proactive Monitoring:

• Monitor web server access logs for unusual or malformed POST requests, particularly those containing long, base64-encoded, or serialized strings targeting plugin-related endpoints.
• Implement file integrity monitoring to detect and alert on any unauthorized changes to core WordPress files, themes, or plugins.
• Review network traffic for any suspicious outbound connections originating from the web server, which could indicate a successful compromise.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block PHP Object Injection attack patterns.
• Restrict access to the WordPress administrative dashboard (/wp-admin/) to trusted IP addresses.
• Ensure the web server is running with the least privilege necessary to limit the potential impact of a code execution exploit.

Public Exploit Available: false

Given the high-severity rating and the potential for remote code execution, we strongly recommend that immediate action be taken. All system administrators should prioritize updating the "Redirection for Contact Form 7" plugin to the latest version across all WordPress instances. Although this CVE is not currently on the CISA KEV list, the widespread use of WordPress and its plugins makes it a highly attractive target for attackers, warranting an urgent and proactive response to prevent exploitation.