Impact
A PHP Object Injection flaw (CWE‑502 – Untrusted Data De‑Serialization) exists in the Modula Image Gallery plugin version 2.14.18 and earlier. The plugin unserializes input supplied by customers and does not perform strict validation or authentication. An attacker who can reach the plugin’s endpoint can send crafted serialized data that is deserialized and executed, allowing arbitrary PHP code to run under the web server’s permissions. This compromise affects confidentiality, integrity, and availability of the entire WordPress site because the code executes within the application’s full context.
Affected Systems
WordPress sites that use the WP Chill Modula Image Gallery plugin at any version equal to or older than 2.14.18 are affected. The vulnerability applies to all installations that have not been updated to 2.14.19 or later, regardless of server configuration or network exposure.
Risk and Exploitability
The CVSS base score of 7.2 classifies the flaw as high severity, while the EPSS value of less than 1% indicates that active exploitation is currently uncommon. The vulnerability is not listed in the CISA KEV catalog. The attack vector is most likely a remote web request to the plugin’s HTTP interface, where malicious serialized payloads can be transmitted. Successful exploitation would grant full site compromise through remote code execution.
OpenCVE Enrichment