The vulnerability is a PHP object injection flaw that allows untrusted data to be deserialized into PHP objects, enabling an attacker to execute arbitrary code on the server. It is classified as a CWE‑502 "Deserialization of Untrusted Data" vulnerability. Successful exploitation could give the attacker full control over the WordPress site, allowing file upload, database manipulation, or the execution of malicious scripts, thereby compromising confidentiality, integrity, and availability.

The flaw affects the MetaSlider Responsive Slider by MetaSlider (ml‑slider) plugin for WordPress, specifically all versions equal to or lower than 3.94.0. Any WordPress installation that has this plugin installed in those versions is impacted.

The CVSS score of 9.8 indicates critical severity, while the EPSS score of less than 1% suggests a low but non‑zero likelihood of exploitation in the wild. The vulnerability is not currently listed in CISA’s KEV catalog. Based on the description, the attack vector is inferred to be remote and can be triggered through the plugin’s exposed API or administrative interfaces, potentially requiring authenticated access to the plugin’s functions. Successful exploitation would result in remote code execution on the affected WordPress site.