This vulnerability is a PHP Object Injection flaw that occurs when the Captivate Sync plugin deserializes untrusted data. An attacker who can send a crafted payload to the plugin’s deserialization endpoint can instantiate malicious PHP objects, leading to arbitrary code execution. The flaw is based on CWE‑502, which signals a failure to validate input before deserialization and therefore can compromise the confidentiality, integrity, and availability of the host system.

The issue affects the WordPress Captivate Sync plugin released by captivateaudio, specifically all versions up to and including 3.0.3. Any WordPress installation that has been running a vulnerable version of this plugin is at risk because the vulnerability resides in the plugin’s code and is triggered by external input.

The CVSS score of 9.8 marks this defect as critical, indicating a high likelihood of remote code execution. The EPSS score of < 1% suggests that exploitation has not yet been widely observed, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the vulnerability can be exploited by sending a crafted serialized object to the plugin’s deserialization endpoint; the likely attack vector is via this endpoint, which may be publicly reachable. If the plugin’s endpoint is accessible over the web, an attacker could potentially craft a request without further privileges, making the threat potentially serious for exposed WordPress sites.