The plugin gravitate-qa-tracker insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector.
Attack is exploitable over HTTP requests to sites with the gravitate-qa-tracker Plugin.
The original researcher notified WordPress Plugins team.