The HUSKY WordPress plugin before 1.3.2 unserializes user input provided via the settings, which could allow high privilege users such as admin to perform PHP Object Injection when a suitable gadget is present.