This vulnerability is a deserialization flaw that allows an attacker to inject a PHP object into the WPFunnels plugin along with malicious serialized data. When the plugin unserializes that data, it can instantiate the attacker‑controlled object, which may trigger arbitrary code execution or modify system state. The weakness is classified as CWE‑502, a deserialization of untrusted data issue that can lead to remote code execution. The impact is that an unauthenticated attacker could run arbitrary code on the WordPress site, compromising confidentiality, integrity, and availability. Based on the description, it is inferred that the plugin deserializes input data received via HTTP requests, making the remote attack vector possible.

The vulnerability affects the WPFunnels plugin for WordPress, versions up to and including 3.5.18. No specific WordPress core or other product version is listed; the issue exists across all versions from the earliest documented through 3.5.18.

The CVSS score of 9.8 indicates a critical severity, but the EPSS score of less than 1 % suggests that exploitation attempts are currently rare or have low probability. The vulnerability is not listed in the CISA KEV catalog. Because the plugin accepts serialized payloads from external clients, an attacker can craft a malicious request to trigger the object injection, assuming no other defenses (such as input sanitization) are present. The risk is high for any site running a vulnerable version of WPFunnels and could result in full compromise of the site.