Name of the Vulnerable Software and Affected Versions:

ConvertPlug plugin for WordPress versions up to, and including, 3.5.25

Description:

The issue concerns PHP Object Injection via deserialization of untrusted input from the `settings encoded` attribute of the "smile info bar" shortcode. This allows authenticated attackers with contributor-level access and above to inject a PHP Object. If a POP chain is present via an additional plugin or theme, it could enable the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Recommendations:

For versions up to, and including, 3.5.25, update to a version that contains a fix for this issue to prevent PHP Object Injection. As a temporary workaround, consider restricting access to the "smile info bar" shortcode and the `settings encoded` attribute to minimize the risk of exploitation.