CVE-2019-15320 — CVSS 9.8 (critical): The option-tree plugin before 2.7.3 for WordPress has Object Injection because the + character is mishandled.
CVE-2019-15321 — CVSS 9.8 (critical): The option-tree plugin before 2.7.3 for WordPress has Object Injection because serialized classes are mishandled.