Setup (As admin)

- To simulate a gadget chain, put the following code in a plugin:

class Evil {
  public function __wakeup() : void {
    die("Arbitrary deserialization");

- Activate the plugin, access the Custom Fields Menu and create a simple Field Group

Attack (as a contributor)
- Create a new post with dummy content, fill in the plugin's text field at the bottom of the screen with O:4:"Evil":0:{}, then save the draft
- Reload the page and click "x revisions", this will trigger the PHP Object Injection