PHP 3 and 4 do not properly cleanse user-injected format strings, which allows remote attackers to execute arbitrary commands by triggering error messages that are improperly written to the error logs.
Upgrade to the latest version of PHP.
WordPress Plugin bbPress Move Topics PHP Object Injection (1.1.4)
WordPress Plugin WikiPop Cross-Site Scripting (2.0)
Drupal Core 8.x.x Security Bypass (8.0.0 - 8.7.14)
WordPress Plugin Popup Maker-Popup for opt-ins, lead gen, & more Cross-Site Scripting (1.6.4)
WordPress Plugin Keep Backup Daily Cross-Site Scripting (2.0.2)