Hoanpk

**Name of the Vulnerable Software and Affected Versions** Plugin versions up to and including 2.6.3 **Description** The issue allows authenticated attackers with administrator-level access to inject a PHP Object via deserialization of untrusted input in the import function using the `shortcode` parameter. If a POP chain is present via an additional plugin or theme, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code. **Recommendations** For versions up to and including 2.6.3, update to a version that fixes the PHP Object Injection issue to prevent exploitation. As a temporary workaround, consider restricting access to the import function and the `shortcode` parameter to minimize the risk of exploitation.