A critical unauthenticated PHP Object Injection flaw in the Integration for Mailchimp and Contact Form 7 plugin exposes WordPress environments to potential remote compromise.

The plugin fails to securely handle untrusted input during deserialization, allowing unauthenticated attackers to inject arbitrary PHP objects. This mechanism can be leveraged as a vector for remote code execution if a compatible POP chain is identified within the environment.

The CVSS score of 9.8 underscores the severity of this flaw. Exploitation could allow attackers to bypass standard authentication, leading to unauthorized data exfiltration, modification of application logic, or total administrative takeover of the WordPress instance.

Immediate Action: Update the affected plugin to the latest version provided by the vendor.

Proactive Monitoring: Review application and database logs for unusual activity or unauthorized administrative actions following plugin usage.

Compensating Controls: Utilize a WAF to inspect and filter incoming traffic for serialized object signatures that could indicate an injection attempt.

Public Exploit Available: False

This vulnerability presents a high risk of unauthorized access. It is imperative that security teams audit their WordPress installations and apply the necessary updates immediately to eliminate this attack surface.