Description
The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.
Remediation
References
Related Vulnerabilities
Oracle JRE CVE-2013-2456 Vulnerability (CVE-2013-2456)
IBM RTC Exposure of Resource to Wrong Sphere Vulnerability (CVE-2020-4989)
WordPress Plugin iThemes Security (formerly Better WP Security) Cross-Site Scripting (3.2.4)
WordPress 4.3.x Multiple Vulnerabilities (4.3 - 4.3.4)
WordPress Plugin GDPR Cookie Consent Security Bypass (1.8.2)