The Live Composer – Free WordPress Website Builder plugin suffers from a PHP Object Injection vulnerability (CWE-502) due to unsafe deserialization of untrusted input in the dslc_module_posts_output shortcode. This vulnerability affects all versions up to and including 2.0.2. An authenticated attacker with at least Contributor-level privileges can inject malicious PHP objects through the deserialization process. However, the plugin itself does not contain a gadget chain (POP chain) that would allow exploitation to escalate to code execution or file manipulation. The risk arises if the target WordPress installation has other plugins or themes that provide a POP chain, which can be leveraged to perform destructive or unauthorized actions such as arbitrary file deletion, sensitive data retrieval, or remote code execution. The vulnerability is network exploitable without user interaction but requires low privileges and a high attack complexity due to the prerequisite of a POP chain. The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects a high severity rating, indicating significant confidentiality, integrity, and availability impacts if exploited. No patches or official fixes are currently linked, and no known exploits have been observed in the wild as of the publication date.

If exploited in an environment where a suitable POP chain exists, this vulnerability could lead to severe consequences including full site compromise, data breaches, and service disruption. Attackers could delete critical files, steal sensitive information such as user data or credentials, or execute arbitrary PHP code to maintain persistence or pivot within the network. Since WordPress powers a significant portion of websites globally, especially small to medium businesses and content creators, the impact could be widespread. The requirement for authenticated access limits the attack surface but does not eliminate risk, as Contributor-level accounts are commonly granted to external content creators or less trusted users. The absence of a POP chain in the plugin itself reduces immediate risk but increases complexity in assessing exposure, as organizations must evaluate their entire WordPress ecosystem. Failure to address this vulnerability could lead to reputational damage, regulatory penalties, and operational downtime for affected organizations.

Organizations should immediately audit their WordPress installations to identify the presence of the Live Composer plugin and verify the version in use. Upgrading to a patched version once available is the most effective mitigation. Until a patch is released, administrators should restrict Contributor-level and higher privileges to trusted users only, minimizing the risk of exploitation. Conduct a thorough review of all installed plugins and themes to detect any that contain known POP chains enabling PHP Object Injection exploitation. Removing or updating such components reduces the attack surface. Implement web application firewalls (WAFs) with rules to detect and block suspicious serialized payloads targeting the vulnerable shortcode. Enable logging and monitoring for unusual activities related to plugin usage and file system changes. Consider disabling or limiting the use of the dslc_module_posts_output shortcode if not essential. Regular backups and incident response plans should be in place to recover quickly if exploitation occurs.