Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.
In 2010, Steffan Esser gave a presentation in Las Vegas that rocked the PHP world. He had discovered a new kind of vulnerability that today we call a “PHP Object Injection” vulnerability. This kind of vulnerability allows an attacker to send a PHP application some data that is turned into an object that lives in memory. If the application then assumes that object and its data is secure, and does things with that object, it could lead to a compromised website.
In technical terms, the way an object injection vulnerability works is as follows. A developer writes code that uses the unserialize() function. This function is a way to take an object that has been stored somewhere, and turn it from it’s stored form, which looks like text, back into an object that lives in memory. Developers do this when using object oriented programming in PHP. Objects are just data structures that logically represent things within the application. The serialize() and unserialize() functions are ways to store and retrieve objects. While serialize() turns an object into text, ready