The vulnerability is a deserialization of untrusted data that permits PHP Object Injection, allowing an attacker to manipulate object state or execution flow. This flaw directly maps to CWE-502 and can potentially lead to arbitrary code execution, data corruption, or compromise of the WordPress site host. No additional attack vectors are described, but the nature of object injection suggests remote exploitation through crafted input passed to the plugin.

The issue affects the EmpikPlace for Woocommerce plugin from its initial release through version 1.4.3. Any WordPress site using this plugin within that version range is susceptible.

The CVSS score of 9.8 classifies the issue as critical. While the EPSS score is reported as less than 1 percent, indicating a low current probability of exploitation, the severity warrants immediate attention. The vulnerability is not listed in CISA KEV, but the high score and potential for remote code execution mean that attackers could exploit this flaw once the necessary conditions—such as a WordPress site with the vulnerable plugin—are met. The likely attack path involves submitting specially crafted input that is unserialized by the plugin, leading to object instantiation that can be leveraged to execute arbitrary code.