The leafcolor Applay - Shortcodes plugin versions up to 3.7 contain a deserialization of untrusted data vulnerability that permits object injection attacks. This flaw allows an attacker to supply crafted serialized data that the application deserializes without proper validation, potentially leading to remote code execution or other severe impacts. The vulnerability is remotely exploitable without authentication and requires no user interaction, making it highly dangerous. The CVSS 3.1 base score is 9.8, reflecting its critical impact on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability can lead to full system compromise, including unauthorized disclosure of sensitive information, modification or destruction of data, and disruption of service. Given the critical CVSS score and the nature of object injection, attackers could execute arbitrary code or commands on affected systems.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to restrict access to the vulnerable plugin and monitor for unusual activity. Avoid using untrusted serialized data inputs in the application. Follow vendor channels closely for updates and apply patches promptly once released.