A high-severity vulnerability has been identified in the Nexter Extension – Site Enhancements Toolkit plugin for WordPress. This flaw allows an attacker to inject malicious PHP code, which could result in a complete compromise of the affected website. Successful exploitation could lead to data theft, website defacement, or the server being used for further malicious activities.

The vulnerability is a PHP Object Injection flaw. It occurs because the plugin unsafely deserializes user-supplied data without proper sanitization. An attacker can submit a specially crafted serialized PHP object as input, which, when processed by the unserialize() function, can trigger a chain of commands using existing code within the application (a "POP chain"). This can ultimately lead to arbitrary code execution on the server, allowing the attacker to create or modify files, exfiltrate database information, or take full control of the WordPress installation.

This is a high-severity vulnerability with a CVSS score of 8.1. Successful exploitation could lead to a significant negative business impact, including a full compromise of the web server. The primary risks to the organization include data breaches involving sensitive customer or corporate information, reputational damage from website defacement, and financial loss from cleanup and recovery efforts. A compromised server could also be used as a pivot point to attack other systems within the corporate network or to host malware and phishing sites, creating further legal and financial liabilities.

Immediate Action:

• Immediately update the "Nexter Extension – Site Enhancements Toolkit" plugin to the latest version provided by the vendor, which contains a patch for this vulnerability.
• If the plugin is not critical to business operations, the recommended course of action is to deactivate and completely remove it to eliminate the attack surface.

Proactive Monitoring:

• Monitor web server access logs for unusual POST requests to plugin endpoints, particularly those containing long, encoded, or suspicious-looking strings which may indicate a serialized PHP payload.
• Implement file integrity monitoring to detect unauthorized changes to WordPress core files, themes, or plugins.
• Review network traffic for unexpected outbound connections from the web server, which could be a sign of a successful compromise.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block PHP Object Injection attempts.
• Harden the server environment by disabling PHP functions that are commonly abused in code execution exploits (e.g., exec(), shell_exec(), system(), passthru()) if they are not required for website functionality.
• Ensure regular backups of the website and database are being performed and are stored in a secure, isolated location.

Public Exploit Available: false

Given the high severity (CVSS 8.1) of this vulnerability, we strongly recommend immediate remediation. All organizations must identify systems running the affected "Nexter Extension" plugin and apply the vendor-supplied update without delay. Although this CVE is not currently on the CISA Known Exploited Vulnerabilities (KEV) list, the potential for complete system compromise necessitates that this be treated as a critical priority for patching.