## Key Vulnerability Information - **File**: `contact-form-entries/tags/1.4.6/contact-form-entries.php` - **Function**: `maybe_unserialize($val, array('allowed_classes' => false));` called multiple times in `create_entry_fr`, `create_entry_na`, and other functions. - **Impact**: - When `maybe_unserialize` is used with the default `allowed_classes` parameter, it permits arbitrary PHP object deserialization, potentially leading to remote code execution. ## Inferred Security Risks - **PHP Object Injection**: Attackers may exploit specially crafted serialized data to bypass restrictions, inject malicious code, and execute arbitrary PHP code within the application context. - **Potential Attack Vectors**: - Manipulate the value of `$data` to inject exploitable serialized objects. - Exploit systems still running pre-patch versions to launch attacks.