A PHP object injection vulnerability in the Anti-Malware Security and Brute-Force Firewall plugin allows authenticated contributors to achieve remote code execution, posing a significant risk to site integrity.

This is a PHP object injection vulnerability occurring in the plugin's handling of serialized data. The flaw is exploitable by authenticated users with 'Contributor' level access or higher.

Successful exploitation allows an attacker to manipulate serialized objects to achieve remote code execution, potentially leading to full site compromise, data exfiltration, or unauthorized administrative access. With a CVSS score of 8.8, this vulnerability is classified as High severity and requires immediate attention to prevent operational disruption and loss of sensitive data.

Immediate Action: Update the Anti-Malware Security and Brute-Force Firewall plugin to the latest available version provided by the vendor.

Proactive Monitoring: Review WordPress user audit logs for unusual activity from 'Contributor' accounts and monitor server logs for suspicious PHP error patterns.

Compensating Controls: Deploy a Web Application Firewall (WAF) rule to block malicious serialized objects and restrict plugin access to only trusted user roles.

Public Exploit Available: false

The severity of this vulnerability necessitates a rapid response. Administrators should prioritize identifying all instances of the affected plugin and applying the vendor-supplied security patch immediately to mitigate the risk of arbitrary code execution.