The vulnerability is a deserialization of untrusted data flaw that allows PHP object injection in the WordPress WP Easy Contact plugin. If an attacker can provide crafted serialized data to the plugin, they can instantiate arbitrary PHP objects, potentially leading to remote code execution, tampering of site configuration, or unauthorized data access. The weakness is classified as CWE‑502, a data-related flaw that permits manipulation of object state during deserialization.

The affected product is the WP Easy Contact plugin developed by emarket-design. Versions from the earliest release through and including 4.0.1 are vulnerable. No later version is specified as affected, so any deployment running a version ≤4.0.1 should be considered at risk.

The CVSS score of 8.1 reflects a high severity impact, while the EPSS score of < 1% indicates that exploitation likelihood is currently low but non-zero. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector involves sending crafted serialized data to the plugin’s deserialization point via form submissions or specially crafted URLs. Successful exploitation would grant the attacker privileged access to the server environment running the WordPress instance. The combination of high impact and low but present exploitation probability warrants immediate attention.