Description
The make_http_soap_request function in ext/soap/php_http.c in PHP before 5.4.44, 5.5.x before 5.5.28, and 5.6.x before 5.6.12 does not properly retrieve keys, which allows remote attackers to cause a denial of service (NULL pointer dereference, type confusion, and application crash) or possibly execute arbitrary code via crafted serialized data representing a numerically indexed _cookies array, related to the SoapClient::__call method in ext/soap/soap.c.
Remediation
References
Related Vulnerabilities
WordPress Plugin NextGEN Gallery-WordPress Gallery Arbitrary File Upload (1.9.12)
Apache HTTP Server Other Vulnerability (CVE-2010-0408)
WordPress Plugin OMGF-Host Google Fonts Locally Multiple Vulnerabilities (4.5.3)
WordPress Plugin Happy Addons for Elementor Cross-Site Scripting (2.23.0)
WordPress Plugin FV Flowplayer Video Player Cross-Site Scripting (7.4.37.727)