Description
php_zip.c in the zip extension in PHP before 5.5.37, 5.6.x before 5.6.23, and 7.x before 7.0.8 improperly interacts with the unserialize implementation and garbage collection, which allows remote attackers to execute arbitrary code or cause a denial of service (use-after-free and application crash) via crafted serialized data containing a ZipArchive object.
Remediation
References
Related Vulnerabilities
Oracle JRE CVE-2017-10345 Vulnerability (CVE-2017-10345)
WordPress Plugin Adifier System Multiple Vulnerabilities (3.1.3)
WordPress 4.1.x Multiple Vulnerabilities (4.1 - 4.1.28)
WordPress Plugin WP Songbook Cross-Site Scripting (2.0.11)
WordPress Plugin Lana Email Logger Cross-Site Scripting (1.0.2)