A critical unauthenticated PHP Object Injection vulnerability in the WP Zendesk plugin exposes the host system to potential remote code execution.

This vulnerability is a deserialization of untrusted data (CWE-502) that can be triggered by unauthenticated remote attackers. The lack of proper input validation allows the injection of malicious objects into the application's PHP execution flow.

The CVSS score of 9.8 highlights the critical nature of this vulnerability. Successful exploitation could lead to total compromise of the WordPress site, resulting in the unauthorized access to Zendesk credentials, customer data, and full remote control over the server environment.

Immediate Action: Update the WP Zendesk plugin to the latest version as soon as the vendor makes a patch available.

Proactive Monitoring: Monitor application logs for unexpected behavior or errors related to deserialization or unusual object instantiation processes.

Compensating Controls: Implement a WAF to filter malicious traffic and prevent the delivery of serialized PHP objects to the vulnerable plugin endpoints.

Public Exploit Available: False

Due to the critical severity and the ease of exploitation for unauthenticated users, immediate patching is mandatory. Organizations should verify their plugin version and apply updates as soon as the vendor releases the security fix.