Impact
The vulnerability is a PHP Object Injection flaw in the Anti‑Malware Security and Brute‑Force Firewall plugin for WordPress. An attacker can supply crafted data that is unserialized by the plugin, enabling execution of arbitrary code on the server. This weakness is classified as CWE‑502 and can compromise confidentiality, integrity, and availability of the hosting environment.
Affected Systems
Affected products are the WordPress Anti‑Malware Security and Brute‑Force Firewall plugin by Eli Scheetz. Versions 4.23.87 and earlier are impacted; any deployment using these releases is vulnerable.
Risk and Exploitability
The CVSS score of 8.8 indicates a high risk level. EPSS is below 1 %, implying a low probability of exploitation in the wild; the issue is not in the CISA KEV catalog. The likely attack path involves an attacker sending a crafted HTTP request that includes serialized PHP data to the plugin’s endpoints. This inference is based on the nature of PHP Object Injection and typical WordPress plugin handling, as the CVE description does not explicitly state the access vector.
OpenCVE Enrichment