b2evolution 6.7.6 suffer from an Object Injection vulnerability in /htsrv/call_plugin.php.
b2evolution b2evolution 6.7.6