Through the proactive monitoring of changes in WordPress plugins for serious vulnerabilities we do, we recently found a PHP object injection vulnerability in the TAKETIN To WP Membership plugin.
In the file /classes/taketin-mp-utils.php the function getMessage() as of version 1.2.7 would unserialize the value of the cookie “taketin_mp_error”, which permitted PHP object injection:
346 347 348 349 350
Source: Security Feed