Impact
This vulnerability is a PHP Object Injection flaw in the WebAppick CTX Feed WordPress plugin. The flaw allows an attacker to supply a crafted serialized object that the plugin deserializes without proper validation, leading to arbitrary code execution when the payload is processed. Because the deserialization occurs within the WordPress web application, successful exploitation would compromise the confidentiality, integrity and availability of the entire site and its underlying server.
Affected Systems
WordPress installations that have the WebAppick CTX Feed Plugin version 6.6.26 or earlier installed are affected. Any site that uses this plugin and has not upgraded past the 6.6.26 release is vulnerable.
Risk and Exploitability
The CVSS score of 7.2 indicates high severity, yet the EPSS score of less than 1% signals a low likelihood of exploitation at present. The vulnerability is not listed in CISA's KEV catalog. The likely attack path involves an attacker transmitting a malicious serialized payload to one of the plugin’s input handling routes—such as a form field or URL parameter—that triggers unsanitized deserialization and execution of arbitrary code.
OpenCVE Enrichment