A critical PHP Object Injection vulnerability in the WP Mail Logging WordPress plugin could allow an attacker to execute arbitrary code and gain full control of the affected website.

The vulnerability is a PHP Object Injection flaw occurring in the WP Mail Logging plugin. This occurs when user-supplied input is insecurely passed to the PHP unserialize() function, potentially allowing an attacker to inject a PHP object that triggers a malicious payload. Depending on the available "gadget chains," this could lead to unauthenticated remote code execution.

Successful exploitation of PHP Object Injection can lead to a complete site takeover, allowing attackers to steal sensitive user data, deface the site, or use the server for further malicious activities. The CVSS score of 7.5 reflects a high severity due to the potential for total system compromise.

Immediate Action: Update the WP Mail Logging plugin to the latest version immediately or deactivate and remove the plugin if it is no longer required.

Proactive Monitoring: Scan the WordPress installation for unauthorized PHP files or changes to core files that may indicate a successful compromise.

Compensating Controls: Ensure that the WordPress environment is running on a modern version of PHP where certain insecure functions are more restricted and use a WAF to filter malicious serialized data.

Public Exploit Available: false

Immediate remediation is required to protect WordPress sites using this plugin. Administrators must prioritize updating the plugin to the latest version to mitigate the risk of a full site compromise through remote code execution.