Description
This script is using the PHP function unserialize() on user input. This is not recommended as it can lead to various vulnerabilities. Consult "Web references" for more information about this problem.
unserialize() takes a single serialized variable and converts it back into a PHP value. However, if the variable being unserialized is an object, after successfully reconstructing the object PHP will automatically attempt to call the __wakeup(), __destruct() member functions (if they exist). In some cases, this can lead to PHP code execution.
Remediation
It is not recommended to use unserialize() on user input.
References
Related Vulnerabilities
WordPress Plugin Best Seo Remote Code Execution (1.5)
TYPO3 Improper Input Validation Vulnerability (CVE-2009-0258)
Resin Application Server Improper Input Validation Vulnerability (CVE-2012-2965)
Sitecore XM/XP Insecure Deserialization (CVE-2025-27218)
WordPress Plugin Five Star Restaurant Menu-WordPress Ordering Remote Code Execution (2.2.0)