The White Label CMS WordPress plugin before 2.5 unserializes user input provided via the settings, which could allow high-privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.
https://wpscan.com/vulnerability/b7707a15-0987-4051-a8ac-7be2424bcb01