Description
The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.
Remediation
References
Related Vulnerabilities
WordPress Plugin Header Footer Code Manager Cross-Site Scripting (1.1.16)
WordPress Plugin Photo Gallery by 10Web-Mobile-Friendly Image Gallery Cross-Site Scripting (1.5.78)
WordPress Plugin WP Photo Album Plus Multiple Cross-Site Scripting Vulnerabilities (5.4.4)
WordPress Plugin Appointments PHP Object Injection (2.2.1)
WordPress Plugin DM Albums Multiple File Deletion Vulnerabilities (2.1)