Are plugins or server software that utilise Serialisation at risk? What specific versions of Minecraft and/or java are affected?

These things are not specified in the README.md

Are plugins or server software that utilise Serialisation at risk?

Uhh, technically yes? Everything that uses serialization in a networking context could be at risk, lots of popular software fell for that trap in the past. But to give a more serious/accurate answer: We're not aware of any and the chances are slim enough to basically answer with a simple "no". But we haven't actually looked at any so don't take my word for it.

What specific versions of Minecraft and/or java are affected?

None. Specific mods for specific versions are affected, but with our current data it's impossible to give an actual range As written here the most affected mods so far are available for mc version 1.7.10 and 1.12.2 but we also found a mod for 1.4.7 that could be exploited in the same way.

I too would like to know if this can affect plugins on server software such as Bukkit/Spigot/Paper/Purpur/etc.

Although it's my understanding that these server software don't alter the networking between the client and server, I'm not 100% sure on that, and there are plugins such as ProtocolLib that I figure could potentially be affected.