This vulnerability stems from an insecure deserialization of user-controlled data in the Boldermail WordPress plugin. An attacker can supply crafted input that is deserialized into PHP objects, allowing arbitrary object injection. This flaw aligns with CWE-502 and can lead to remote code execution, data tampering, or other malicious actions when the plugin processes the injected payload.

The Boldermail plugin for WordPress, developed by Hernan Villanueva, is affected in all releases up to and including version 2.4.0. Users running these versions are exposed to the object injection flaw.

The CVSS score of 8.8 signals a high severity issue. The EPSS score of less than 1% indicates that currently the public exploitation rate is low, yet the vulnerability remains a high-value target. It is not listed in the CISA KEV catalog, but the nature of the flaw suggests that an attacker could exploit it via specially crafted requests that trigger the unserialize call, potentially without further authentication if the plugin accepts data from non-privileged users. The exact attack vector cannot be confirmed from the description, but the typical path would involve sending a malicious payload to an endpoint that processes serialized data.