AjaxSearchPro before 4.20.8 allows Deserialization of Untrusted Data (in the import database feature of the administration panel), leading to Remote Code execution.
https://www.synacktiv.com/sites/default/files/2021-04/WP_AjaxSearchPro_Vulnerability.pdf