The vulnerability is a deserialization flaw that allows an attacker to perform PHP object injection in the Sunshine Photo Cart plugin. By manipulating serialized data, an adversary can instantiate arbitrary PHP objects during unserialization, potentially executing code with the privileges of the web application. The weakness is indexed as CWE-502, indicating insecure handling of untrusted data, and it can lead to full compromise of the affected WordPress site, including data theft, modification, and defacement.

WordPress sites running the Sunshine Photo Cart plugin version 3.4.10 or earlier are affected. No other plugins or WordPress core versions are impacted. The issue spans from the initial release of the plugin through version 3.4.10, but any plugin instance that still uses these older releases remains vulnerable.

The CVSS score of 9.8 classifies this as critical. Although the EPSS score is less than 1%, indicating a low probability of exploitation at this time, the lack of a known public exploit and absence from the KEV catalog do not mitigate the severe potential impact. Assuming the attacker can supply crafted serialized payloads—through form inputs or query parameters—she could inject malicious objects, achieving remote code execution once the plugin processes the data. The attack vector is therefore inbound and requires the attacker to control payload data that reaches the plugin’s unserialize logic. Given the severity rating and the critical nature of object injection vulnerabilities, immediate remediation is strongly advised.