A PHP Object injection vulnerability was found in the Google Forms WordPress plugin. It can be used by an unauthenticated user to instantiate arbitrary PHP Objects. Using this vulnerability it is possible to execute arbitrary PHP code. The input is taken directly from the POST request as can be seen in the following code fragment: $action = unserialize(base64_decode($_POST[‘wpgform-action’]) ; unset($_PUT[‘wPGform] ) ; $options = $options.”]