The plugin unserialises the content of an imported file, which could lead to PHP object injection issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
To simulate a gadget chain, put the following code in a plugin: class Evil { public function __wakeup() : void { die(“Arbitrary deserialization”); } } Create a file named import.dat with the below content and import it (via Appearance > Customize > Import/Export): O:4:“Evil”:0:{};