A critical PHP object injection vulnerability in the Broadcast Live Video WordPress plugin allows unauthenticated attackers to execute arbitrary code on the server.

This vulnerability involves the insecure deserialization of user-supplied data. An unauthenticated attacker can inject a malicious PHP object, leading to remote code execution within the context of the web server.

With a 9.8 CVSS score, this is a Critical vulnerability. Code execution allows an attacker to gain full control over the web server, potentially compromising the entire hosting environment, stealing data, or utilizing the server as a node for further malicious activities.

Immediate Action: Update the Broadcast Live Video plugin to version 7.1.3 or later immediately.

Proactive Monitoring: Monitor for suspicious outbound network connections originating from the web server, which may indicate command-and-control communication.

Compensating Controls: Use a Web Application Firewall (WAF) to filter out serialized PHP objects in HTTP requests, which can mitigate the risk of object injection.

Public Exploit Available: Unknown

PHP object injection is a severe vulnerability that grants an attacker significant control. Organizations must prioritize the patch and consider resetting any credentials stored on the server, as they must be assumed compromised if the system was potentially exposed to this attack.