Description The plugin unserialises the content of an imported file, which could lead to PHP object injections issues when a high privilege user import a malicious file and a suitable gadget chain is present on the blog.
To simulate a gadget chain, put the following code in a plugin: class Test { public function __wakeup() : void { die(“Arbitrary deserialization”); } } Create a file named “poc.txt” with the following content: O:4:“Test”:0:{}; Upload the file via the “Choose File” feature in Weaver Xtreme Theme Support > Filters Then choose Restore Filter Options. The view the response of the request made, which will have the “Arbitrary deserialization” message.