An unauthenticated PHP object injection vulnerability in Mirasvit Full Page Cache Warmer for Magento 2 enables remote attackers to achieve arbitrary code execution.

The vulnerability stems from an insecure call to PHP's unserialize() function using user-controlled input from the CacheWarmer cookie. This allows an unauthenticated attacker to inject malicious serialized objects, triggering gadget chains that result in remote code execution.

With a CVSS score of 9.8, this vulnerability represents a critical threat to Magento-based e-commerce environments. Exploitation leads to total server compromise, potentially exposing customer PII, payment information, and administrative credentials. This could result in significant financial loss and severe regulatory compliance violations.

Immediate Action: Update the Mirasvit Full Page Cache Warmer plugin to version 1.11.12 or higher immediately.

Proactive Monitoring: Inspect web server access logs for suspicious cookie values containing serialized PHP objects or anomalous requests directed at the cache warming mechanism.

Compensating Controls: Deploy WAF rules to detect and block serialized PHP objects in incoming HTTP headers and cookies.

Public Exploit Available: false

This vulnerability is highly critical due to the lack of required authentication. Organizations utilizing Magento 2 with the Mirasvit Full Page Cache Warmer must apply the vendor-provided patch immediately to prevent unauthorized code execution and potential data exfiltration.