Description
ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.
Remediation
References
Related Vulnerabilities
WordPress Plugin Social Sharing-Sassy Social Share PHP Object Injection (3.3.23)
Joomla! Core 3.9.x Directory Traversal (3.9.3 - 3.9.5)
WordPress Plugin Contextual Related Posts Multiple Vulnerabilities (3.3.1)
WordPress Plugin Pondol Carousel Cross-Site Scripting (1.0)
WordPress Plugin 301 Redirects-Easy Redirect Manager Cross-Site Request Forgery (2.72)