via pluginvulnerabilities.com => original post link
Recently, an update was released for a WordPress plugin that had a changelog that said the new version addressed a PHP object injection vulnerability by using the WordPress function maybe_unserialize(). That function doesn’t accomplish that. The developer then made a second attempt to address the vulnerability, which did fix it. To better understand why maybe_unserialize() won’t address that, let’s look at how they managed to fix it.
The code passes user input to the function unserialize(): [Read more]