A critical PHP Object Injection vulnerability in the Boost WordPress plugin allows unauthenticated attackers to manipulate application logic and potentially achieve remote code execution.

The plugin deserializes untrusted input from the STYXKEY-BOOST_USER_LOCATION cookie. An unauthenticated attacker can inject a malicious PHP object, though exploitation depends on the availability of a POP chain within the site's ecosystem.

With a CVSS score of 9.8, this vulnerability is critical. While it relies on the presence of a POP chain, the ubiquity of various plugins on WordPress sites makes it highly likely that such a chain exists, leading to potential data theft or code execution.

Immediate Action: Update the Boost plugin to the latest version immediately.

Proactive Monitoring: Monitor for unusual cookie values or attempts to inject serialized objects through HTTP headers.

Compensating Controls: Implement a WAF to inspect and block serialized PHP objects in incoming cookie data.

Public Exploit Available: false

Deserialization vulnerabilities are complex and dangerous. Administrators should prioritize updating the Boost plugin and audit the entire plugin stack to identify and remove any components that provide potential POP chains.