PHP Object Injection is a critical security vulnerability that occurs when a developer passes untrusted user input to PHP's unserialize() function. PHP serialization stores complex objects as strings; when deserialized, PHP automatically reconstructs the object, including executing any magic methods defined in the class (such as __wakeup() or __destruct()). If an attacker controls the serialized string, they can craft a payload that instantiates any class available in the codebase and triggers its magic methods — potentially achieving remote code execution, file deletion, or data exfiltration. WordPress itself historically exposed object injection vulnerabilities in several popular plugins. The prevention is straightforward: never pass user-supplied data to unserialize(). Use json_decode() and json_encode() for structured data serialization, which does not reconstruct PHP objects. When deserializing stored data is genuinely necessary, validate the structure and use PHP 7's allowed_classes option to restrict which classes can be instantiated.
Glossary entry