The Mechanics of Deserialization
Serialization converts complex data structures (like objects or arrays) into a string format for storage or transmission. Deserialization reverses this process. Insecure Deserialization occurs when untrusted user input is passed directly into PHP's unserialize() function. If the application contains specific classes (known as "gadget chains"), an attacker can craft a serialized object payload that triggers unintended code execution or file deletion when parsed by the server.
Object Injection in WordPress Plugins
While WordPress core has largely moved away from dangerous deserialization practices, many plugins still use PHP serialization to store complex settings or session data in cookies and hidden form fields. If a plugin reads a cookie containing serialized data and runs unserialize() without validation, an attacker can manipulate the cookie values to inject an arbitrary PHP object. When PHP attempts to destroy or wake up that object, it executes malicious logic.
Defending Against Deserialization Vulnerabilities
Protecting your platform from object injection requires using modern data exchange formats and secure parsing:
-
Use JSON Instead: Avoid PHP serialization for user-facing data. Use
json_encode()andjson_decode()instead. JSON is a data-only format and does not support object instantiation, completely eliminating the deserialization risk. -
Verify Signatures with HMAC: If you must use serialized data across requests, sign the data with a Hash-based Message Authentication Code (HMAC). Verify the signature before deserializing to ensure the payload hasn't been altered.
-
Upgrade Plugins Regularly: Keep your plugins updated to benefit from security patches that transition legacy code away from unsafe deserialization routines.