A popular plugin for the website-building platform WordPress, ConvertPlus, has a weakness that makes it vulnerable to attacks. This weakness, known as PHP Object Injection, can occur in all versions of the plugin up to version 3.5.26. It happens when untrustworthy information is used in a specific part of the plugin’s code. This allows attackers who have contributor-level access or higher to insert a type of code called a PHP Object. Unfortunately, the plugin does not have a defense against this type of attack. If another plugin or theme with a defense is installed on the same website, an attacker could potentially delete important files, access sensitive information, or run their own code.