The vulnerability is a deserialization of untrusted data that permits PHP object injection, classified as CWE-502. It exists in MetaSlider Responsive Slider by MetaSlider plugin through version 3.106.0. Based on the description, it is inferred that an attacker could craft a serialized payload that, when deserialized by the plugin, creates arbitrary PHP objects and could trigger remote code execution or other malicious actions. The plugin does not perform input validation on the data it deserializes, allowing the injection of crafted payloads and potentially compromising site integrity and confidentiality.

The product affected is the WordPress plugin MetaSlider Responsive Slider by MetaSlider. All releases from the earliest version up to 3.106.0 are vulnerable. Any WordPress site that has not upgraded to at least 3.107.0 remains at risk.

The CVSS score of 7.2 indicates high severity, while the EPSS score of below 1% suggests that exploitation is currently rare and it is not listed in the CISA KEV catalog. The likely attack vector is through the plugin’s functionality that accepts serialized data from external requests; this inference is drawn from the nature of the flaw. No public exploit is documented, but the potential for arbitrary code execution exists if an attacker can supply crafted input. The overall risk is high for affected installations, though the probability of exploitation is low at present.