The plugin does not properly sanitize the βprofile-pic-urlβ parameter, leading to a potential PHP Object Injection. This vulnerability stems from the deserialization of untrusted input, potentially enabling a malicious user with subscriber-level permissions to inject a PHP Object. The issue may escalate if a Property Oriented Programming (POP) chain is present via an additional plugin or theme.