Last week we looked at an insecure WordPress function, maybe_unserialize() that was part of the cause of a “critical” vulnerability that was receiving press coverage. We noted a couple of troubling conversations on the Trac ticket system for WordPress related to that function and PHP object injection, which the insecure function permits. A commenter on the post noted another relevant Trac conversation that raises more concerns.
Someone labeled as a Core Committer of WordPress in part wrote this in 2017: [Read more]