This vulnerability is a deserialization of untrusted data flaw that permits PHP object injection. An attacker can supply a crafted serialized object that causes the Employee Spotlight plugin to instantiate arbitrary PHP objects, potentially leading to arbitrary code execution and full compromise of the affected WordPress site. The weakness is classified as CWE‑502, which specifically covers improper deserialization that can result in unsafe object handling.

The issue affects the WordPress Employee Spotlight plugin developed by eMarket‑Design, versions up through 5.1.1 inclusive. Any WordPress installation that has this plugin tagged at or below 5.1.1 is susceptible, regardless of the configuration or other plugins employed.

With a CVSS score of 8.1 the vulnerability is considered high severity, yet the EPSS score of less than 1 % indicates a very low current exploitation probability. Because it is not listed in the CISA KEV catalog, there is no documented large‑scale exploitation footprint. The attack vector is inferred to be through the plugin’s input handling where a malicious payload can be injected, requiring administrative or authenticated access to the plugin’s configuration or data processing functionality. If such access is available, an attacker could achieve full remote code execution on the compromised hosting environment.