The vulnerability is a PHP object injection flaw that arises from deserialization of untrusted data within the Site Chat on Telegram plugin. When maliciously crafted serialized objects reach the plugin, they are instantiated, enabling an attacker to execute arbitrary code in the context of the WordPress site. This flaw effectively grants full control over the affected system, including potential data exfiltration, alteration, or further propagation of malware.

The issue affects Guru Team's Site Chat on Telegram plugin, versions from the initial release through 1.0.4. WordPress sites that have installed any of these versions are vulnerable until the plugin is updated to a version beyond 1.0.4.

The CVSS base score is 9.8, indicating critical severity. The EPSS score is listed as < 1%, suggesting a low probability of exploitation at the moment, but the high severity means that any exploitation would have devastating consequences. Based on the description, it is inferred that the plugin processes serialized data sent via site requests, so the attack vector is likely remote and could involve crafted POST or GET requests that supply malicious serialized payloads. The flaw is not currently listed in CISA KEV, but organizations should not rely on this status. The risk remains high until a patched version is deployed or the plugin is removed.